this level introduces us to a good point that’s the instruction pointer is not located directly after the function call, roughly saying that they may be some padding the is there from the compiled to increase the size of the stack, Actually this problem it’s the same as the previous ones but there’s a new concept which stack padding.
- get the address of the buffer
- get the amount of size needed to overflow the buffer and reach the rip pointer
- get the address of complete_level
I started by setting two breakpoints in the function which have the vulnerable function what I mean is the we will disassemble start_level function because it has the vulnerable function gets the first breakpoint i set it exactly after lea rax, [rbp-0x50] to get the starting address of the buffer.
now continue and type this command in gdb i r rax we should get the address of the buffer which is
so now we got the address of the buffer next let’s set the second breakpoint after gets call type in gdb break *0x0000000000400649 now at this break let’s examine our stack. it looks like this
now to get the return address which we want to overwrite the rip is located directly above the rbp register and because we are in 64-bit system the next address in the stack is located at 8-bytes so to get the address of the rip we type this command in gdb x/2wx $rbp + 0x8 which gives us the address of the rip which will be
now we subtract these addresses in gdb
p 0x7fffffffe638 – 0x7fffffffe5e0 = 0x58-base16 = 88-base10 so we need 88 filled bytes to reach the return address.
now we want to get the complete_function address we can do it esaily in gdb by typing display complete_level which will give us 0x40061d
to craft our exploit in python it would be something like this.
the struct library is very useful in exploit development it converts the address to little-endian without have to worry typing it yourself.
I hope you enjoyed my write-up any comment or suggest is appreciated you can contact me via my e-mail address: firstname.lastname@example.org