We noticed that the binary is provided with disabled NX.
checksec.sh --file ebp_a96f7231ab81e1b0d7fe24d660def25a.elf
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO No canary found NX disabled No PIE No RPATH No RUNPATH ebp_a96f7231ab81e1b0d7fe24d660def25a.elf
So it was pretty simple to run our shellcode and execute proper command to read the flag.
It was the time to see the binary. IDA showed us that the buggy function is make_response since no FMT was used.
return snprintf(response, 0x400u, buf);
but response and buf are on BSS and we should change execution flow to this address 0x0804A480.
By dumping stack on executing make_response we had these values:
You may notice that to overwriting a value via FMT vuln we should provide an address to %n. but we had just BSS variables so we should make this environment manually. As name of the challenge suggets we can use saved frame pointer since it has address of this frame. The scenario is pretty simple:
leak an stack address to find location of RET address of current function make_response.
overwrite RET address in place of saved frame pointer (which ebp points to it).
again using a format string overwrite RET with response address.
You should notice that we should write 2 least significant byte of ebp address location (%hhn).