首先是要求用户输入一个用户名,随后对输入的字符进行+1
,随与sysbdmin
进行比较,不相同程序退出
存在以下漏洞
由于题目并没有给出libc文件,所以需要我们自己去确认,使用格式化字符串泄露多个函数偏移,后使用工具下载匹配的libc文件,最终泄露和测试结果如下:
根据下载到的libc文件最终计算的LibcBase = 0XF7605000
,找到libc
int
__cdecl __noreturn main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
int
command;
/
/
eax
char s1[
40
];
/
/
[esp
+
14h
] [ebp
-
2Ch
] BYREF
int
nop;
/
/
[esp
+
3Ch
] [ebp
-
4h
]
setbuf(stdout,
0
);
ask_username(s1);
/
/
用户输入后对每个字符
+
1
ask_password(s1);
/
/
与
"sysbdmin"
进行比较,既用户需要输入
"rxraclhm"
while
(
1
)
{
while
(
1
)
{
print_prompt();
/
/
打印printf(
"ftp>"
)
command
=
get_command();
/
/
获取用户输入遂转成数字 get:
1
put:
2
dir
:
3
nop
=
command;
if
( command !
=
2
)
break
;
/
/
申请一个
0xF4
大小的heap,随后由用户输入当前段的名字和内容
/
/
名字可由
dir
打印,也可用于打印内容时作为判断的索引
put_file();
}
if
( command
=
=
3
)
{
/
/
从heap中索引每个块的名字,拼接,遂使用puts打印出来
show_dir();
}
else
{
if
( command !
=
1
)
exit(
1
);
/
/
从heap中根据块名进行索引,并使用printf(content)将其打印,存在字符串格式化漏洞
get_file();
}
}
}
int
__cdecl __noreturn main(
int
argc, const char
*
*
argv, const char
*
*
envp)
{
int
command;
/
/
eax
char s1[
40
];
/
/
[esp
+
14h
] [ebp
-
2Ch
] BYREF
int
nop;
/
/
[esp
+
3Ch
] [ebp
-
4h
]
setbuf(stdout,
0
);
ask_username(s1);
/
/
用户输入后对每个字符
+
1
ask_password(s1);
/
/
与
"sysbdmin"
进行比较,既用户需要输入
"rxraclhm"
while
(
1
)
{
while
(
1
)
{
print_prompt();
/
/
打印printf(
"ftp>"
)
command
=
get_command();
/
/
获取用户输入遂转成数字 get:
1
put:
2
dir
:
3
nop
=
command;
if
( command !
=
2
)
break
;
/
/
申请一个
0xF4
大小的heap,随后由用户输入当前段的名字和内容
/
/
名字可由
dir
打印,也可用于打印内容时作为判断的索引
put_file();
}
if
( command
=
=
3
)
{
/
/
从heap中索引每个块的名字,拼接,遂使用puts打印出来
show_dir();
}
else
{
if
( command !
=
1
)
exit(
1
);
/
/
从heap中根据块名进行索引,并使用printf(content)将其打印,存在字符串格式化漏洞
get_file();
}
}
}
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
24
:
54
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『puts』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF7679150
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
26
:
18
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『strcmp』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF76AD7B0
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
26
:
51
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『malloc』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF76232C0
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
27
:
35
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『fread』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF7595D60
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
28
:
52
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『LibcBase』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF7605000
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
24
:
54
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『puts』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF7679150
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
26
:
18
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『strcmp』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF76AD7B0
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
26
:
51
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『malloc』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF76232C0
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『
2023
-
06
-
07
23
:
27
:
35
』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
『fread』
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
=
>『
0XF7595D60
』
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!