GoT
You can only change one address, here is the problem: program. It is also found in /problems/got_3_4ba3deeda2ea9b203c6a6425f183e7ed on the shell server. Source.
- 1.The program asks for an address to overwrite with user-supplied data. One prompt for the address and another prompt for the input value.
- 2.
putsandexitare the only two functions called after the write, so we need to change the behavior of one of the two functions. Because ASLR is enabled, we need to look for things that stay constant. One of these things is the Global Offset Table. The Global Offset Table allows a C program to call libc libraries and serve as a jumping point for the program. If we modify this jumping point, we can make the program execute code at a different address than intended. - 3.So we want to select the GOT address of the
putsfunction and overwrite it with the address of thewinfunction.pwntoolsmakes this easy:exit_got = exe.got['exit']win_addr = exe.symbols['win'] - 4.Then we simply send the addresses over and get the flag:io.sendlineafter("Input address\n", str(exit_got))io.sendlineafter("Input value?\n", str(win_addr))
- 5.
picoCTF{A_s0ng_0f_1C3_and_f1r3_1ef72b2d}Last modified 2yr ago