Before we exploit, let's look at what protections are enabled on this binary:
$ checksec beatmeonthedl
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
Absolutely nothing is enabled. Almost a shame really. This means we have no need for that print function, since we don't actually need to leak anything. There are many approaches you could take to exploit it from here. Since NX is disabled and the binary isn't PIE, I figured the easy win would be to do the following:
- Write shellcode into some place in the .bss section
- Overwrite a function's GOT entry (I chose memset for convenience)
To do these overwrites, simply line up the pointers in your second call to edit the note, then use the appropriate indexes.
My full exploit can be found here.
# The flag is: 3asy p33zy h3ap hacking!!
- << Prev