source.c
, but most of it is socket programming derived from here. The two relevent functions - vuln()
and win()
- I'll list below../vuln 9001
.pause()
is reached, I hook on with radare2 and set a breakpoint at the ret
.40
.dup2
.dup2()
within the vulnerable binary, but normally you would leak libc via the GOT and then use libc's dup2()
rather than the PLT; this walkthrough is about the basics, so I kept it as simple as possible.dup2(newfd, oldfd)
. newfd
will be 4
(our connection fd) and oldfd
will be 0
and 1
(we need to call it twice to redirect bothstdin
and stdout
). Knowing what you do about calling conventions, have a go at doing this and then caling win()
. The answer is below.ROPgadget
to find these.dup2()
.