目录
0x01题目
0x02解题思路
题目都已经介绍了这是一道Use After Free的题目,那我们就不用多想了,先看看题目主要内容
root@mypwn:/ctf/work/pwnable.kr# ssh uaf@pwnable.kr -p2222
uaf@pwnable.kr's password:
____ __ __ ____ ____ ____ _ ___ __ _ ____
| \| |__| || \ / || \ | | / _] | |/ ]| \
| o ) | | || _ || o || o )| | / [_ | ' / | D )
| _/| | | || | || || || |___ | _] | \ | /
| | | ` ' || | || _ || O || || [_ __ | \| \
| | \ / | | || | || || || || || . || . \
|__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|
- Site admin : daehee87@gatech.edu
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Wed Jan 1 22:34:25 2020 from 220.116.190.78
uaf@prowl:~$ ls -la
total 44
drwxr-x--- 5 root uaf 4096 Oct 23 2016 .
drwxr-xr-x 116 root root 4096 Nov 12 21:34 ..
d--------- 2 root root 4096 Sep 21 2015 .bash_history
-rw-r----- 1 root uaf_pwn 22 Sep 26 2015 flag
dr-xr-xr-x 2 root root 4096 Sep 21 2015 .irssi
drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
-r-xr-sr-x 1 root uaf_pwn 15463 Sep 26 2015 uaf
-rw-r--r-- 1 root root 1431 Sep 26 2015 uaf.cpp
继续看看源代码
#include <fcntl.h>
#include <iostream>
#include <cstring>
#include <cstdlib>
#include <unistd.h>
using namespace std;
class Human{
private:
virtual void give_shell(){
system("/bin/sh");
}
protected:
int age;
string name;
public:
virtual void introduce(){
cout << "My name is " << name << endl;
cout << "I am " << age << " years old" << endl;
}
};
class Man: public Human{
public:
Man(string name, int age){
this->name = name;
this->age = age;
}
virtual void introduce(){
Human::introduce();
cout << "I am a nice guy!" << endl;
}
};
class Woman: publ