Overwrite 0x401976(the real ret addr) with 0x4017c0(the func touch1 addr).
The address can be examined with x 0x28+$rsp when the program is inside the function getbuf.
Lv 2
Use gdb to inspect the following address:
the address of cookie: 0x6044e4
the address of original ret address: 0x5561dca0
address of touch2: 0x4017ec
Then we need a piece of injection code to excute the call to touch2. The injection code should start from the bottom of the memory space for buf, with a sequence of nop. Then it comes to the setting of the argument and ret address for calling touch2.
Firstly overwrite the original ret address with <injection>'s address: [0x5561dca0, +4] = 0x5561dc78, which is the bottom of the memory space for buf.
Then set the address for calling <touch2>: [0x5561dc98, +8] = 0x4017ec0000000000, where is the top of the memory space for buf.
Then the injection code:
The stack should be like:
Lv 3
Similar to Lv2:
the value of cookie: 0x59b997fa
the corresponding little-endian value for the string '59b997fa': 0x6166373939623935
the address of original ret address: 0x5561dca0
address of touch3: 0x4018fa
Firstly overwrite the original ret address with <injection>'s address: [0x5561dca0, +4] = 0x5561dc78, which is the bottom of the memory space for buf.
Now we define the place start from the bottom of the memory space for buf (0x5561dc78) as the new start of stack.