-
-
[原创]CTF2019_Q1_拯救单身狗
-
发表于:
2019-3-10 15:12
2750
-
一血,happy
Analyze
比较显然的两个点:
1
两个edit函数只判断指针是否存在,没有判断输入的int范围:
(为了符合理解,我把one和two rename交换了一下)
unsigned __int64 edit_singledog()
{
int v1; // [rsp+4h] [rbp-Ch]
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("which?");
v1 = read_int();
if ( one[v1] ) // 数组溢出
{
puts("Oh,singledog,changing your name can bring you good luck.");
read(0, (void *)one[v1], 0x20uLL);
printf("new name: %s", one[v1]);
}
else
{
puts("nothing here");
}
return __readfsqword(0x28u) ^ v2;
}
unsigned __int64 edit_singledog()
{
int v1; // [rsp+4h] [rbp-Ch]
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("which?");
v1 = read_int();
if ( one[v1] ) // 数组溢出
{
puts("Oh,singledog,changing your name can bring you good luck.");
read(0, (void *)one[v1], 0x20uLL);
printf("new name: %s", one[v1]);
}
else
{
puts("nothing here");
}
return __readfsqword(0x28u) ^ v2;
}
unsigned __int64 edit_luckydog()
{
int v1; // [rsp+4h] [rbp-Ch]
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("which?");
v1 = read_int();
if ( two[v1] )
{
puts("Oh,luckydog,What is your new name?");
read(0, (void *)(two[v1] + 8LL), 0x18uLL);
puts("your partner's new name");
read(0, *(void **)two[v1], 0x20uLL);
}
else
{
puts("nothing here");
}
return __readfsqword(0x28u) ^ v2;
}
unsigned __int64 edit_luckydog()
{
int v1; // [rsp+4h] [rbp-Ch]
unsigned __int64 v2; // [rsp+8h] [rbp-8h]
v2 = __readfsqword(0x28u);
puts("which?");
v1 = read_int();
if ( two[v1] )
{
puts("Oh,luckydog,What is your new name?");
read(0, (void *)(two[v1] + 8LL), 0x18uLL);
puts("your partner's new name");
read(0, *(void **)two[v1], 0x20uLL);
}
else
{
puts("nothing here");
}
return __readfsqword(0x28u) ^ v2;
}
2
edit_singledog()不存在\x00截断,导致很容易leak
puts("Oh,singledog,changing your name can bring you good luck.");
read(0, (void *)one[v1], 0x20uLL);
printf("new name: %s", one[v1]);
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2019-3-16 20:25
被梅零落编辑
,原因:
