Tags: exploit ropchain pwn
Rating: 5.0
1) Leak the stack address
2) Partial overwrite of the main ret address (it points to libc_start_main). With an overwrite of the last 2 bytes we can jump in the main function again.
3) Leak the binary address
4) Jump again in the main
5) Get an infinite loop with a stack pivoting and write a ropchain in the memory
6) Exit the infinite loop and jump in the ropchain
Full exploit here
https://github.com/r00ta/myWriteUps/tree/master/InsomnihackTeaser2019