Tags: canary bof pwn fmt
_(pwn, 269 points)_
Pretty standard birb protection (nc 18.104.22.168 5002)
Running `checksec` against the binary verifies the hint in the challenge description that stack canaries are in use. An `ltrace` on the binary reveals a format string vulnerability by improper use of `printf` as well as a buffer overflow vulnerability caused by the unsafe `gets` function. Reading the symbols from the binary we find a `win` function within yielding the flag when executed.
Leak the stack canary via the format string. Then use it before overwriting the return address of `main` with the address of `win` via the buffer overflow.
see [exploit](./exploit.py) for an automation of the exploit written in python.