Rating:

  • Swap atoi , printf to leak stack.
  • Swap( a , &a ) -> *a = a.
  • Swap( 0x601526 , &0x601526 ).
  • Swap( 0x601526 - 6 , printf GOT - 6 ).
  • printf -> 0x56510 , one gadget -> 0x45526.
  • Overwrite printf GOT last two byte to 0x1526, gues it add with carry.
  • With probability approx 1/16.
  • exploit.py
Original writeup (https://github.com/ssspeedgit00/CTF/tree/master/2018/TokyoWesterns/swap_returns).