simple offer
Buffer overflow in 64 bit ELF
The code above was given with a compiled binary, which was also running on a remote server.
As we can seee, we need to access win() function so we can make the server read our flag.
Let's create a 64 byte buffer and see what happens
We see segmentation fault at 64 bytes. Let's figure out the RIP offset.
So the offset was 40. Let's create a simple payload to see if we can overwrite the return address.
We can see that the return address was being overwritten.
But the problem is we still don't know win() function's address. So I used objdump to find it. Then after 40 bytes, we can put win()'s address to make EIP point to that function and execute it with the payload provided.
I used the following script to execute win function and make it read /flag.txt (demo flag in my local system)
I tried running it on remote server but it didn't work. Then on discord, Amazon's team notified about a discrepancy in compiling binary glibc. So, I added 0x20 to the current return address and it worked!
Last updated