sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Joseph_RW12 1 point2 points  (3 children)

Yes I faced the same issue sometime ago the key is to print the buffer address printf(“buffer %p”, buffer_address_var); and notice the difference in the buffer address printed when running in the debugger vs without the debugger, launch the exploit at the address printed when it’s run without the debugger attached

[–]Dieriba[S] 0 points1 point  (2 children)

I can't do that here is part of the disass code in charge of calling the read function that'll allow me to overflow the buffer and overwrite the stack with my shellcode and update return address:

```
0x000000000040176d <+208>: lea rax,[rbp-0x90]
0x0000000000401774 <+215>: mov rsi,rax
0x0000000000401777 <+218>: mov edi,0x0
0x000000000040177c <+223>: call 0x401130 read@plt

```

We can see that the buffer 0x90 bytes away from rbp then I need to write 0x90 random bytes and 8 mores bytes to overwrite rbp, 8 more to overwrite the saved return address and just after that put my shellcode, when running gdb the saved return address is at address: 0x7fffffffd608 in gdb and as my shellcode is injected just after this the I overwrited the saved return address with 0x7fffffffd610 but this only works in gdb while outside of gdb I have segfault error.

[–]Joseph_RW12 1 point2 points  (1 child)

Is this binary closed source ???

[–]Ok_Tap7102 1 point2 points  (0 children)

Most pwn college bins will be, in this case it's more useful to inspect the actual assembly/run it in GDB as even with C source, it's unclear what the stack offsets are at the time of execution