loveletter writeup

Surprisingly, before me, this pwnable level was only pwned 74 times, and there is no write up available online. So I decided to share my solution.

There is no source code, so you have to reverse engineer. The problem lies in the highlighted line of protect() function.

Essentially it copies the next byte.

To solve it, we need to somehow force the system(loveletter) call to be cat flag.

The total buffer is 256 bytes memset to \x00s. The goal is to set first memcpy byte length to 0. This will erase the first part of the love letter and will go directly to system('cat flag <garbage>').

The solution is: python -c "print('cat flag' + ' '*245 + '$')". Now onto why this works.

When the code above executes, we will have eax pointing to \x00.

This will overwrite the buffer and propagate \x00 to edx used in the 1st memcpy and loaded by mov edx, [esp+110h] (see below).

This will of course erase echo I love and will result in cat flag being executed.