Tags: pwnable
Rating:
# Floatpoint [Pwnable - 175]
## Challenge description
IEEE754 is useful when your values go from -inf to +inf, but really, fixed point is all you need.
But if you want, you could grab this too.
Running at fixedpoint.pwning.xxx:7777
## Challenge code
```C
#include <stdlib.h>
#include <sys/mman.h>
#include <stdio.h>
int main(int argc, char** argv) {
float* array = mmap(0, sizeof(float)*8192, 7, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
int i;
int temp;
float ftemp;
for (i = 0; i < 8192; i++) {
if (!scanf("%d", &temp)) break;
array[i] = ((float)temp)/1337.0;
}
write(1, "here we go\n", 11);
(*(void(*)())array)();
}
```
## Solution
It's easy to see that we need to find numbers that their IEEE754 representation divided by 1337 produces valid shellcode.
For those not familiar with IEEE754, it's basically a standard to represent float point numbers in computers.
In this chall I perceived that I could only control reliably the inner bytes of a 4byte value, so I needed to construct
2 bytes shellcode and 2 bytes NOP, in this format 0xNSSN (where N is nop and S is part of real shellcode).
```python
import struct
import pwnlib
import time
def get_int(s):
a = struct.unpack('
