CSCAMP CTF 2012 - Exploit 100
This was more of a reversing puzzle than an exploitation one. The binary accepts a parameter as a password. It checks if the password is correct and cats the key. If not, it tells you the key is wrong. The key is stored byte-by-byte in the program and is assembled dynamically during runtime. After assembly, it compares the supplied password with the one on its stack.
solvee100.py:
import struct, sys
def main():
stack_dump = [0x38343664, 0x39366537, 0x64386562, 0x00313538]
ans = ""
for i in stack_dump:
ans += struct.pack("I", i)
sys.stdout.write(ans)
if __name__ == "__main__":
main()
Running this on our local machine:
amon@Alyx:~/cscamp/exp100$ ./level100
useage : ./level100 amon@Alyx:~/cscamp/exp100$ ./level100 wrongkey
Wrong key, try harder
amon@Alyx:~/cscamp/exp100$ ./level100 `python solvee100.py`
Congratulation, let me grab you content of key.txt
cat: ./key.txt: No such file or directory
amon@Alyx:~/cscamp/exp100$
Leave a Comment