Skip to content

Latest commit

 

History

History

pwn-note

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

idea

scanf("%256s",buffer) can read no more than 256 bytes, and set the next byte to "\x00", which means it can change 257 bytes!

in sub_400D92, we send the payload with the length of 256, exactly change the rbp of main.

char *sub_400D92()
{
  char s; // [rsp+0h] [rbp-100h]

  _isoc99_scanf("%256s", &s);
  return strdup(&s);
}

when it return to main, the variables has been disrupted. Using a meticulously constructed payload, we can control the scanf's first argv, and set it to "%s" or whatever you like, we can overflow the stack and then use ret to csu to get the shell.