Tags: buffer_overflow pwn 


# Free Flag

Author: [roerohan](https://github.com/roerohan)

This is a simple buffer overflow challenge where you have to overwrite the return pointer.

# Requirements

- Knowledge of Function Stack, Return Pointer

# Source

- [chall](./chall)

# Exploitation

This is a classic buffer overflow challenge. The flag is in a file on the server, and a binary is given to you ([chall](./chall)). Fire up GDB, and check out the main function using `disas main`.

You see a function called `here`. We check it out using `disas here`.

In this you see a call to the `read` function. Also, when you do `info functions`, notice there is a function called `win_win`. Let's check that out.

So the `win_win` function has a has a call to `system`, looks like this is our target function. If we can run this somehow, we get the flag. So we try to overwrite the return pointer in the `here` function. You see that the size of the stack is `0x20` or `32`. We need to add 8 more bytes to overwrite the saved base pointer, making it 40. Then, the return pointer must be overwritten in little endian to the `win_win` function. Let's write the payload.

python2 -c "print('a'*(32+8) + '\x08\x07\x40\x00\x00\x00\x00\x00')"

This can now be piped to the server to get the flag.

python2 -c "print('a'*40 + '\x08\x07\x40\x00\x00\x00\x00\x00')" | nc asia.pwn.zh3r0.ml 3456

The flag is:


Original writeup (https://github.com/csivitu/CTF-Write-ups/tree/master/Zh3r0%20CTF/Pwn/Free%20Flag).