exploitation1-release is an Linux x86 binary that has a trivial buffer overflow that cats the key.


We reverse the binary, and see that main forks, drops privileges, and then calls the function below, which dumps the key if given the correct name.

We see that they wiped the secret name from the binary they gave us and replaced it with "AAAAAAAAAAAAAAAAAAAAAAAAAA\n", so we’re forced to find another way to get the key. But we see that there is a 4 byte overwrite, which is sufficient to write an arbitrary value to v4. We thus have our solution:

% perl -e 'print "A"x512, "\x01"' | nc 54321