Want to be a drive-thru attendant? Well, no one does… But! the best employee receives their very own flag! whatdya say?
nc 184.108.40.206 12345
The target uses
gets to read into a stack buffer which is a straightforward
example of a stack buffer overflow. The target also has an executable stack,
which means that we can simply write our shellcode in the buffer, then jump to
it by overwriting the saved return address. The binary even prints the address
of the stack buffer we will overflow before asking us for input so this is
pretty much as simple as it gets in terms of exploitation.
The only thing that stands between us and a shell is an additional check that
the target is doing. During initialization one of the stack variables is set
to 0xcafebabe but before returning from
main the target checks if the same
variable is 0xdeadbeef. If this check fails, the target calls
exit, thus never
returning (and never executing our shellcode). To make it succeed, we can just
overwrite the variable with the correct value when smashing the stack.
$ python2 exploit.py
[+] Opening connection to 220.127.116.11 on port 12345: Done
[*] Switching to interactive mode
$ cat flag
[*] Closed connection to 18.104.22.168 port 12345