write-what-where as a service! Now how do I detour away from the intended path of execution?
This binary give you a chance to write a value to an address. Since stack address is randomized, we can't overwrite rip.
According to this post, when program exit normally, it will call functions in
for example, this this binary. the first address in
fini_array point to
__do_global_dtors_aux. This function will be called after function return from main.
So, we can write
sym.win address to
fini_array. Then, after function return from main, it will call
win and give us the shell
[0x004010f0]> px/a @ obj.__do_global_dtors_aux_fini_array_entry
exe = context.binary = ELF("detour")