We see there is an unsafe$()$ function which has some checks for different local variables. The positioning of these variables is important because they are declared before the input buffer which means that a buffer overflow will cause data to be overwritten.

This program is a Buffer Overflow, however you will not be changing the control flow to a specific binary address, rather you will need to enter in the right values to trick the pointer arithmetic logic and get to the call$\_$me$()$ function.

$($psst$,$ the math is easy, dont overthink it$,$ it$$s just addition$)$

This is the C File:

#include

#include

#include

#include $"../../$shared$/$kernels$\_$lib.c$"$

typedef struct node$\_$t $\{$

int x;

char y;

float z;

$\}$ weird$\_$node;

void unsafe$()\{$

int characters$\_$read;

int some$\_$other$\_$value $=0$xFFFF;

int$*$ protector $=($int $*)$malloc$($sizeof$($weird$\_$node$)*33)$;

char buffer$[24]$;

printf$("$Give me some strings $($Mind your values!$)$:

$")$;

read$(0,$ buffer, $1000)$;

characters$\_$read $=$ strlen$($buffer$)$;

if $(*($&protector $+$ some$\_$other$\_$value$)==0$xbadf$00$d$)\{$

if $($characters$\_$read $>24)\{$

printf$("$

$\backslash$ttoo many characters read!

$")$;

exit$(-1)$;

$\}$ else $\{$

call$\_$me$()$;

$\}$

$\}$

$\}$

int main$($int argc, char$*$ argv$[])\{$

unsafe$()$;

return $0$;

$\}$

How will the exploit python look like?