CSCAMP CTF 2012 - Exploit 100

less than 1 minute read

This was more of a reversing puzzle than an exploitation one. The binary accepts a parameter as a password. It checks if the password is correct and cats the key. If not, it tells you the key is wrong. The key is stored byte-by-byte in the program and is assembled dynamically during runtime. After assembly, it compares the supplied password with the one on its stack.

solvee100.py:

import struct, sys

def main():
stack_dump = [0x38343664, 0x39366537, 0x64386562, 0x00313538]
ans = ""

for i in stack_dump:
    ans += struct.pack("I", i)

    sys.stdout.write(ans)

if __name__ == "__main__":
    main()

Running this on our local machine:

[email protected]:~/cscamp/exp100$ ./level100
useage : ./level100 [email protected]:~/cscamp/exp100$ ./level100 wrongkey
Wrong key, try harder
[email protected]:~/cscamp/exp100$ ./level100 `python solvee100.py`
Congratulation, let me grab you content of key.txt
cat: ./key.txt: No such file or directory
[email protected]:~/cscamp/exp100$

Leave a Comment