- from pwn import *
- import sys, os
- def change_ld(binary, ld):
- """Force to use assigned new ld.so by changing the binary"""
- if not os.access(ld, os.R_OK):
- log.failure("Invalid path {} to ld".format(ld))
- return None
- if not isinstance(binary, ELF):
- if not os.access(binary, os.R_OK):
- log.failure("Invalid path {} to binary".format(binary))
- return None
- binary = ELF(binary)
- for segment in binary.segments:
- if segment.header['p_type'] == 'PT_INTERP':
- size = segment.header['p_memsz']
- addr = segment.header['p_paddr']
- data = segment.data()
- if size <= len(ld):
- log.failure("Failed to change PT_INTERP from {} to {}".format(data, ld))
- return None
- binary.write(addr, ld.ljust(size, '\0'))
- if not os.access('/tmp/pwn', os.F_OK): os.mkdir('/tmp/pwn')
- path = '/tmp/pwn/{}_debug'.format(os.path.basename(binary.path))
- if os.access(path, os.F_OK):
- os.remove(path)
- info("Removing exist file {}".format(path))
- binary.save(path)
- os.chmod(path, 0b111000000) #rwx------
- success("PT_INTERP has changed from {} to {}. Using temp file {}".format(data, ld, path))
- return ELF(path)
- #example
- elf = change_ld('./echo2', './ld.so')
- p = elf.process(env={'LD_PRELOAD':'./libc.so.6'})
- # 后续步骤接着写
先用 strings libc.so.6 | grep GLIBC 查看自己的 glibc 是否兼容题目给的 libc 库
(libc.so.6 是我将题目给的改名的)
注意 ld.so 是从安装的 glibc 例如按照我的 blog(编译 glibc) 的目录是 / usr/glibc223/lib 里的 ld2.23.so 拷贝出来的并且改了下名 libc.so.6 则是题目给的 libc 库改名的
此脚本需要 pwn 题 ld.so libc.so.6 在一个文件夹
写的好像不太清楚, 有问题就问 这破事烦了我两天才给搞好, 真是为难新手
参考
https://bbs.pediy.com/thread-225849.htm
来源: http://www.bubuko.com/infodetail-2637062.html