Tags: pwn
Rating:
Steps to pwn:
1. Out of bounds array access vulnerability
2. Use out of bounds vuln to leak the canary and saved return pointer of main which will give us the load address of __libc_start_main+9
3. Subtract 9 from leaked return pointer and find the libc version in libc-databases or construct your own leak function by using puts/printf from GOT or PLT to leak the whole libc.
4. Construct payload with canary, calculated address of system and calculated address of the string "/bin/sh" in libc.