gdb给aslr程序下断
即在内存中不断leak 最后比对文件头,找到模块基址
from pwn import *
import sys, os
import re
wordSz = 4
hwordSz = 2
bits = 32
PIE = 0
mypid=0
context(arch='amd64', os='linux', log_level='debug')
def leak(address, size):
with open('/proc/%s/mem' % mypid) as mem:
mem.seek(address)
return mem.read(size)
def findModuleBase(pid, mem):
name = os.readlink('/proc/%s/exe' % pid)
with open('/proc/%s/maps' % pid) as maps:
for line in maps:
if name in line:
addr = int(line.split('-')[0], 16)
mem.seek(addr)
if mem.read(4) == "\x7fELF":#elf文件头
bitFormat = u8(leak(addr + 4, 1))
if bitFormat == 2:
global wordSz
global hwordSz
global bits
wordSz = 8
hwordSz = 4
bits = 64
#print(addr)
return addr
print("Module's base address not found.")
log.failure("Module's base address not found.")
sys.exit(1)
def debug(addr = 0):
global mypid
print("ssss")
mypid = proc.pidof(r)[0]
#raw_input('debug:')
with open('/proc/%s/mem' % mypid) as mem:
moduleBase = findModuleBase(mypid, mem)
print(hex(moduleBase+addr))
gdb.attach(r, "set follow-fork-mode parent\nb *" + hex(moduleBase+addr))
r = process('/root/echo2')
print("hello")
debug(addr=0x000000000000097F)
r.sendline("ceshipayload")
r.interactive()#此句必加 用来维持进程吧要不gdb附加不上去
https://hackme.inndy.tw/scoreboard/ echo2 注意此题要用题目提供的so 因为栈中
__libc_start_main+231
后面数字不一样,database那种方法我觉得碰到这种情况不行 还是需要用到题目提供的so
脚本参考
https://blog.csdn.net/niexinming/article/details/78512274
http://uaf.io/exploitation/misc/2016/04/02/Finding-Functions.html