The bug is interger overflow, so we can write everywhere.
- To leak the key, overwrite the key then leak 1 by 1 byte.
- After leak the key we leak the libc and binary address at 0x202360 and 0x202000.
- then we leak stack by _argvs variable in mmap section.
- We need to overwrite one_gadget to return address which is saved in stack. But we only have 32 times to write, so we should overwrite variable i(of the for loop in main function) to negative number, then we can write more than 32.
- Bruteforce to write 1 by 1 byte to overwrite one_gadget to return address of main function.
- overwrite i to big number, then exit and get the shell.
import time