Hi. I was hoping you could help me with What does the f say.
I can exploit the format string vulnerability to leak the necessary addresses so that I could, in theory, redirect execution to a one-gadget in libc. However, with only 28 bytes of format string space, I cannot make such a big change to the return address. As such, I am confined within the surrounding space of the binary code section.
I've been trying to look in the gadgets from the binary to see if there's anything that will let me work around this, but nothing so far.
Can you at least tell me if I'm on the right track?