tag:blogger.com,1999:blog-3932878064881956934.post9186978565825120834..comments2023-05-22T19:36:11.633+05:30Comments on voidsecurity: ctf.wargame.vn - Pwn 300Reno Roberthttp://www.blogger.com/profile/01980174423078410529noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-3932878064881956934.post-65546574343675957822015-05-12T19:13:24.344+05:302015-05-12T19:13:24.344+05:30yes :)yes :)Reno Roberthttps://www.blogger.com/profile/01980174423078410529noreply@blogger.comtag:blogger.com,1999:blog-3932878064881956934.post-17644521518904506752015-05-12T19:11:33.234+05:302015-05-12T19:11:33.234+05:30My local libc matched the remote libc. So it was e...My local libc matched the remote libc. So it was easy to compute offset. Base address will be page aligned, so last 12 bits will be 0 eg, 0xf74a1000. <br /><br />Different ways to find remote libc offsets are discussed here , http://j00ru.vexillium.org/blog/24_03_15/dragons_ctf.pdf. Checkout slides 64+Reno Roberthttps://www.blogger.com/profile/01980174423078410529noreply@blogger.comtag:blogger.com,1999:blog-3932878064881956934.post-25247897829043159822015-05-12T14:54:07.582+05:302015-05-12T14:54:07.582+05:30Did you just search around the address you leaked ...Did you just search around the address you leaked by using program_invocation_name and found the user input? aaaaxxhttps://www.blogger.com/profile/03559106221930118917noreply@blogger.comtag:blogger.com,1999:blog-3932878064881956934.post-35642486884084329992015-05-12T14:29:49.708+05:302015-05-12T14:29:49.708+05:30Even though you leaked the address of libc_start_m...Even though you leaked the address of libc_start_main, you said that the address of libc_start_main is randomized. So how can you exactly know what libc does the binary uses? Don't you also have to know the libc base address?aaaaxxhttps://www.blogger.com/profile/03559106221930118917noreply@blogger.com