Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
""" WARNING: crypto is hard to do right, bugs are hard to discover. Don't use if you life depends on it. """ | |
import os.path | |
from subprocess import Popen, PIPE | |
import json | |
# requests and beautifulsoup should be in your favorite package manager already | |
import requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Basicly the same idea as the previous challenge. | |
Instead of getting an explicit location for the return | |
value needed to jump to the start of the shellcode, we | |
need to find a register that holds that start (in this | |
case $eax points to the start of the buffer, so we are | |
in luck) and find some code inside the binary that jumps | |
there. That we can find with ROPGadget. | |
The tips were really helpful. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The service asks for two inputs. Both are placed on | |
the stack. The second buffer can be overflowed (accepts | |
512 bytes, buffer size is 128), and you can replace | |
the return value on the stack with the beginning for the | |
first buffer. | |
The service is nice to tell us where the first buffer | |
is located. So we overwrite the return value at 128 + 12 | |
on the stack, with the location which the service told | |
the first buffer was located. So we can fill that stack |