Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000)
0x2 Vulnerability
classic ret2libc chall, in function main there is a gets function. We can use this gets to construct rop chain.
One thing to notice is that function main have a counter, counter increase by 1 everytime we call main. if counter is larger than 0, program will exit immediately. Therefore, in the first ropchain, we also need to set counter back to 0.
So, we need to construct following rop chain.
first ropchain
1 2 3
puts(got.printf) # leak libc address gets(obj.counter) # set counter to 0 main()