Crafting Input for Buffer Overflow to Print Flag and Using angr for Symbolic Execution

Question

I'm working on a buffer overflow exercise and need help with two aspects:

1. Crafting the correct input to overwrite a function pointer and call printflag instead of wrong.
2. Using angr to automate the process of finding the input.

Here's the program:

#include <stdio.h>
void wrong() {
    printf(" Wrong \n");
  }
void correct() {
  printf(" You win !\n");
}
int main() {
  char buffer[64];
  long( * p)() = wrong;
  gets(buffer);
  p();
  return 0;
}

Details:

• No stack protections.
• Little-endian CPU.
• wrong address: 0xff115a34.
• correct address: 0xff110333a.
• Frame length: 8 bytes.
• buffer address: 0xffff123a.

Question 1: Input Crafting

I want to create an input that overwrites the function pointer w to point to printflag. What should the exact input be?

Question 2: Using angr

I'm also trying to use angr to find this input automatically. Here's what I know about angr:

• Functions and attributes: angr.Project, x.factory.entry_state, x.factory.simulation_manager, x.explore, x.posix.dumps, x.loader.min_addr, x.loader.shared_objects, .loader.main_object.execstack, x.loader.aslr, claripy.BVS.

Could you help me with the angr script or guide me on how to set up the symbolic execution to find the input that forces the program to call printflag?

For Question 1 (Input Crafting):

• I tried to manually calculate the offset to overwrite the function pointer w in the stack. However, I'm not sure about the exact input format to ensure the program jumps to printflag correctly.

For Question 2 (Using angr):

• I attempted to use angr by creating a project and setting up an entry state. I also used simulation_manager and explore to find the desired path. However, I'm stuck on how to properly define the symbolic input and constraints to guide angr towards overwriting the function pointer to call printflag.
• I expected to find an automatic way to generate the input that would lead to printing the flag, but I'm struggling with the correct setup and the script details.