Pwn Intended 0x2

less than 1 minute read

img

Let’s analyze the binary

img

img

We can see that it’s calling gets and we can see where we want to end up. Looks like we want to overflow and set the instruction pointer to that address. Let’s do it.

First, let’s see if we can find how many junk characters we need to send for padding

Using python and dmesg, we can send different lengths and check where exactly the segfault is occuring

img

img

So at 57, we can start to see 41 (A) leaking in. Let’s use 56 as our padding then.

So now we know both the address we want to jump to (0x004011d3) and the padding required (56).

Let’s write a script using python and pwntools.

img

img