-
-
[原创]攻防世界PWN新手区:when_did_you_born
-
发表于: 2022-4-4 10:59 5572
-
题目描述:
只要知道你的年龄就能获得flag,但菜鸟发现无论如何输入都不正确,怎么办?
拿到文件先用file命令查看文件的基本信息
再使用checksec命令查看文件的保护机制:
根据上面这两条命令可知,这个文件为64位的ELF文件,而且还开了不少保护,其中就有金丝雀。
直接丢进ida里面分析,先分析主函数
大概分析代码逻辑,可以发现我们的最终目的是在birth里面存放1926从而catflag,但是如果一开始在birth存放1926会在第一个循环给ban掉,这里注意到主函数这里是先接收的birth然后判断birth之后再接收的name,而name用到了gets函数,众所周知gets函数不会验证输入数据的位数。这里就成了我们利用的地方。先查看一下栈布局:
这里就很明显了,虽然这题用到了canary,但是我们并不需要注入到tls变量处,我们只需要在name变量接受gets的值时顺便覆盖到birth变量就行。
__int64 __fastcall main(
int
a1, char
*
*
a2, char
*
*
a3)
{
__int64 result;
/
/
rax
char name[
8
];
/
/
[rsp
+
0h
] [rbp
-
20h
] BYREF
unsigned
int
birth[
4
];
/
/
[rsp
+
8h
] [rbp
-
18h
] BYREF
unsigned __int64 tls;
/
/
[rsp
+
18h
] [rbp
-
8h
]
tls
=
__readfsqword(
0x28u
);
setbuf(stdin,
0LL
);
setbuf(stdout,
0LL
);
setbuf(stderr,
0LL
);
puts(
"What's Your Birth?"
);
__isoc99_scanf(
"%d"
, birth);
while
( getchar() !
=
10
)
;
if
( birth[
0
]
=
=
1926
)
{
puts(
"You Cannot Born In 1926!"
);
result
=
0LL
;
}
else
{
puts(
"What's Your Name?"
);
gets(name);
printf(
"You Are Born In %d\n"
, birth[
0
]);
if
( birth[
0
]
=
=
1926
)
{
puts(
"You Shall Have Flag."
);
system(
"cat flag"
);
}
else
{
puts(
"You Are Naive."
);
puts(
"You Speed One Second Here."
);
}
result
=
0LL
;
}
return
result;
}
__int64 __fastcall main(
int
a1, char
*
*
a2, char
*
*
a3)
{
__int64 result;
/
/
rax
char name[
8
];
/
/
[rsp
+
0h
] [rbp
-
20h
] BYREF
unsigned
int
birth[
4
];
/
/
[rsp
+
8h
] [rbp
-
18h
] BYREF
unsigned __int64 tls;
/
/
[rsp
+
18h
] [rbp
-
8h
]
tls
=
__readfsqword(
0x28u
);
setbuf(stdin,
0LL
);
setbuf(stdout,
0LL
);
setbuf(stderr,
0LL
);
puts(
"What's Your Birth?"
);
__isoc99_scanf(
"%d"
, birth);
while
( getchar() !
=
10
)
;
if
( birth[
0
]
=
=
1926
)
{
puts(
"You Cannot Born In 1926!"
);
result
=
0LL
;
}
else
{
puts(
"What's Your Name?"
);
gets(name);
printf(
"You Are Born In %d\n"
, birth[
0
]);
if
( birth[
0
]
=
=
1926
)
{
puts(
"You Shall Have Flag."
);
system(
"cat flag"
);
}
else
{
puts(
"You Are Naive."
);
puts(
"You Speed One Second Here."
);
赞赏
他的文章
- 关于迷宫题的一些求解思路 11128
- [原创]攻防世界PWN新手区:int_overflow 7821
- [原创]攻防世界PWN新手区:guess_num 11534
- [原创]攻防世界PWN新手区:level2 11815
- [原创]攻防世界PWN新手区:level0 6107
谁下载
无
看原图
赞赏
雪币:
留言: