Never Say Goodbye
By Uday Shankar
This is a format string exploit. The vulnerable line is line 4.
printf(str);
Since a user-supplied string is given as the first argument to printf, it is interpreted as the format string, so format specifiers (pretty much anything beginning with a % sign) can be used to leak and overwrite arbitrary information in a program. This exploit is covered all over the internet, so I won't go over it here. I highly recommend LiveOverflow's tutorials for this topic.
Once we have an arbitrary read-write through the format string exploit, we can get to work. The key is that the compiler optimizes the second call of printf to a call to puts, because the argument passed is a string literal. This optimization can be detected by disassembling the binary, or just through knowledge about how gcc works. On the first pass, we can overwrite the GOT entry for puts to point back to an appropriate point in our code, e.g. right before the fgets call. This means we can run the vulnerability as many times as we want to. From here, there are many ways to complete the exploit. One example follows.
Leak a libc address
Compute the appropriate location of system
Overwrite the GOT entry for printf to point to system
Give “/bin/sh” as input and win
Flag: compiler_optimizations_rekt_me_RIP