攻防世界 Pwn time_formatter
1.checksec分析
2.IDA分析
menu
puts("Welcome to Mary's Unix Time Formatter!");
do
{
while ( 2 )
{
puts("1) Set a time format.");
puts("2) Set a time.");
puts("3) Set a time zone.");
puts("4) Print your time.");
puts("5) Exit.");
__printf_chk(1LL, "> ");
- 看到一个菜单
- 应该是有关堆的漏洞
在 print_your_time 找到有关system函数
if ( ptr )
{
__snprintf_chk(
command,
2048LL,
1LL,
2048LL,
"/bin/date -d @%d +'%s'",
(unsigned int)dword_602120,
(const char *)ptr);
__printf_chk(1LL, "Your formatted time is: ");
fflush(stdout);
if ( getenv("DEBUG") )
__fprintf_chk(stderr, 1LL, "Running command: %s\n", command);
setenv("TZ", value, 1);
system(command);
}
else
{
puts("You haven't specified a format!");
}
控制好参数ptr即可拿到权限
参数ptr是由我们选择set_time_format输入的
v7 = a4;
v4 = strdup(a1);
if ( !v4 )
err(1, "strdup", v7);
v5 = (__int64)v4;
if ( getenv("DEB