The binary contains two functions -
main function reads an input and passes it to
login. On decompiling login using Ghidra:
void login(int32_t arg_ch)
It is clear that
printf prints the input without any format string, so the binary has format string vulnerability. The input has to some how overwrite
0xb4dbabe3 which is a global variable at
0x804c02c. This can be done using
%hn format string. But instead it is easier to do it using pwntools'
fmstr_payload function, which only requires the location of format string from the stack pointer and <address, value> pairs of the variables to overwritten as a dict.
In this case, the format string is 12 positions away from the stack pointer (found manually by using
%x's as inputs). This script worked:
from pwn import *