App - System
Thursday 1 October 2020, 02:46 #1
[STACKED] bin pwn ELF_x64 Off-by-one stack based
Hi all.
Please, can somebody push me in direction to solution?
i’m able to control $RIP, also i can leak libc address. I’m even can modify stack to pass cmp when run the program again.
But, there are no any user input, only arg in first run. so, i can’t use leaked address. and inside elf file i can’t find valid gadgets to reopen new FD, or make syscall.
I can push pointer to the heap in *RCX 0x602010 ◂— 0x0
and can increase it few times, but this is not enough to make what i need.
Any hint? thx
Thursday 1 October 2020, 15:05 #2
[STACKED] bin pwn ELF_x64 Off-by-one stack based
Why do you need gadgets? To put some values in registers.
Think about what else could have the same side effect.
Thursday 1 October 2020, 19:46 #3
[STACKED] bin pwn ELF_x64 Off-by-one stack based
Big thank for reply, Sir.
To be honest, I didn’t expect an answer.
Any function call have side effect?