- Always google suspicious API calls such as alloca. This API allocates memory using the stack frame, allowing user to specially position something (stack canary) to be printed later! (DONT FORGET YOUR OSCP SKILLS……) This github repo below actually shared about alloca.
Assume that: char buf and signed int num scanf("%39s", buf) %39s only takes 39 bytes from the input and puts NULL…
- When doing printf of float values, the value is passed in stack (rsp+8).Screenshot below is trying to print 100.000000, and the value can be seen in rsp+8.
- Play with all user inputs (eg: invalid characters, size controls). By passing invalid characters, scanf did not manage to scan and overwrite the memory location, allowing us to print the value on the stack later on.
- Using pop rdi and puts_plt to leak libc
- When segmentation fault occurs, try to add some buffer/rop gadgets before actual payload. Check if the stack is aligned. Context: in local it works, but over remote fail… Added a ret gadget to align the stack and all is good!
Screenshot of flag cause i love flags:
- Many steps in an exploit, do not just think of one stage.
- There are many things you can overwrite! Context: Overwrite puts@plt to restart main but subsequently have no idea what or how to leak addresses. In fact, it is possible to overwrite the other plt addresses! In the end, it was necessary to overwrite exit@plt, calloc@plt. Also, can use printf to leak addresses! Also, you can jump anywhere, eg use exit@plt with a user supplied input to skip calloc.
- Pay attention to your user input! Context: Using exit@plt with a user supplied input to skip calloc. Did not know how to skip calloc with exit@plt.