8 lines
742 B
Plaintext
8 lines
742 B
Plaintext
We can use printf format string attack, with %n we can write a value at any position. We see in the code we need have the address 0x804988c to equal 64. So we need to write 64 characters with printf and then have %n point on 0x804988c.
|
|
|
|
Printf has a variable number of arguments, the first of them is always supposed to be a string with format indicators. if we have n format indicators we are supposed to have n+1 arguments. If we call with less than that, printf is still gonna search for them on the stack anyway, we can use that to our advantage.
|
|
|
|
We need to find the start of our string using %8x until it print 41414141, then we replace it with 0x804988c, and the last %x with a %s (or use %m$s, m replaced by the number of x needed)
|
|
|
|
|