Writeup

• First use this command to scan the executable:

objdump -M intel -d break_this

• The main() function only calls read_buffer().
• This function reads the length of a buffer from standard input into a variable n.
• Then it reads the buffer itself (char buffer[64]).
• Because fgets() reads at most n - 1 characters, we can set n to a value bigger than the length of the buffer, so an overflow may be possible.

• We will set n to a large enough value: 100

• magic_function() starts at address 0x08048596
• From the first 4 lines from read_buffer() we get that: ebp and edi get pushed on the stack, then the stack is extended by 0x54 = 84
• So we must print 88 + 4 + 4 = 92 dummy characters A and then the address of magic_function() in little-endian encoding

For further explanation:

int n;                                          // 4 bytes
unsigned int disorienting_var = 0xDEADBEEF;     // 4 bytes
char buffer[64] = "\0";                         // 64 bytes
size_t i, len;                                  // 16 bytes (8 each one)

Sum that up and add another 4 for ebp => 92

python2.7 -c 'print "100\n" + "A" * 92 + "\x96\x85\x04\x08"' > payload