r - read from library
input number
and return the len[input] buffer information
a - add element
add element to buffer
and check previous len and input sum not greater than 1024
else exit(-1)
u - exit
return
Details
The main point is expose the stack address
Due to strings contrain we can't direct expose the ebp address on the stack
we can only expose the address on the esp ( when function call program put argument on the esp, so we can know the buffer address )
After expose buffer address, overwritten the return address by buffer address and exit.
We can execute our shellcode