Exploit notes - Basic overflow but not exploitable

This is the first tutorial of exercises solutions of Ricardo narvaja spanish course (ignore Google dangerous message). Binary is named Vulnerable_No_vulnerable.exe in 21 lesson. When we run the binary it asks us to introduce an input we also view a string so we already have a starting point to see the references to that string in the .text section. 

We see the first comparison where it is checked if the value of EAX register is equal to a line break or 0xa. So let's create a small script to run binary and send a buffer. After that we attach to the process when we run script.

We realize that the value of the EAX register is the first byte of the sent buffer and it is compared with the line break or 0xa, therefore, since it is not equal, it will not jump in the conditional jump JZ and compare it with the value -1 or 0xffffffff. Therefore what is being checked is when the line break or 0xa at the end of the input the conditional jump JZ is made.

We need to send in decimal value 10 plus line break.

Later we realize that we sent in first buffer is the size. If we send a size greater than 16 bytes it will exit the program but sending a size of 10 bytes will not be output and in gets function it will receive the second buffer according to a size that is set in first buffer. Therefore, knowing that JL or JLE conditional jump considers the sign, EAX register could be negative for example it was 0xffffffff it would be -1 and it would be less than 0x10. Boom! Bug. We have overflow. But we have a canary protection therefore even if a bug exists it is not exploitable unless we get a leak of canary value and bypass protection.

The solution is not consider the sign and how is it positive it will be greater than 0x10 and it will exit, thus we avoid the bug and overflow.