The challenge give us a binary to exploit. At a first glance it doesnt seems to be a bugged binary but looking further after logged in (strings fil_chal give you easly the credentials) you see an info that will be written somewhere in a file. The number you’ll be submit will be used in recv(). The length of buf is 0x41c so we need to fill it with more than 0x41c

v6 = atoi((const char *)&buf);
*(_WORD *)a2 = v6;
n = a2;
v7 = recv(fd, &buf, n, 0);</code>

if ( (unsigned int)(a2 + 1) <= 0x400 )

How to bypass this one? Just insert a negative value like “-1” on entry info form for let the machine interpret it as 0xffffffff and give us on recv() enough length to overflow. The address I choose to jump in is taken from the stack using ret2ret. Once you got the stack addr from the server just compare it with the on you have obtained on localhost and calculate offset.

Here is the code to exploit:

http://pastebin.com/2zame2i5

 Razor4x