-
-
[原创]看雪CTF.TSRC 2018 团队赛 第十四题 你眼中的世界
-
发表于: 2018-12-28 11:44
-
题目源码:
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
signed int v3; // ebx
unsigned int v4; // eax
void *v5; // rbp
v3 = 5;
sub_5647BE0B4AB0();
puts("echo from your heart");
do
{
__printf_chk(1LL, "lens of your word: ");
v4 = sub_5647BE0B4AF0(1LL, "lens of your word: ");
if ( v4 > 0x1000 )
{
puts("too long");
exit(1);
}
v5 = malloc(v4);
__printf_chk(1LL, "word: ");
gets(v5);
__printf_chk(1LL, "echo: ");
__printf_chk(1LL, v5);
putchar(10);
--v3;
}
while ( v3 );
return 0LL;
}
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
signed int v3; // ebx
unsigned int v4; // eax
void *v5; // rbp
v3 = 5;
sub_5647BE0B4AB0();
puts("echo from your heart");
do
{
__printf_chk(1LL, "lens of your word: ");
v4 = sub_5647BE0B4AF0(1LL, "lens of your word: ");
if ( v4 > 0x1000 )
{
puts("too long");
exit(1);
}
v5 = malloc(v4);
__printf_chk(1LL, "word: ");
gets(v5);
__printf_chk(1LL, "echo: ");
__printf_chk(1LL, v5);
putchar(10);
--v3;
}
while ( v3 );
return 0LL;
}
猜测漏洞在gets,具体怎么利用一无所知。
然后发现函数__printf_chk 没有见过,不知道有没有print不一样的地方。
搜了一下,居然发现了跟此题神似的原题:
hctf2017 babyprintf
并找到wp一篇:
https://bbs.pediy.com/thread-222735.htm
按照此wp操作,得到了libc地址,但是原文中的vtable偏移并不知道怎么来的。
vtable_addr=libc_base+0x3BE4C0
打开libc2.24看了一下
然而再libc2.23 中并无此节__libc_IO_vtables
所以此方法gg.
用google 搜索 hctf2017 pwn unsortedbin attack,找到另外一篇wp:
d80K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6$3k6i4u0A6N6r3q4K6y4e0l9I4i4K6u0W2M7%4m8S2j5$3g2Q4x3V1j5J5x3o6p5%4i4K6u0r3x3e0u0Q4x3V1j5I4x3#2)9J5c8V1W2a6i4K6t1#2x3U0m8r3d9f1I4q4i4K6t1#2x3U0m8Q4x3U0g2q4y4g2)9J5y4f1q4p5i4K6t1#2b7e0k6Q4x3U0g2q4y4q4)9J5y4f1t1&6i4K6t1#2b7e0m8Q4x3U0g2q4y4#2)9J5y4f1q4o6i4K6t1#2z5e0c8Q4x3U0g2q4z5q4)9J5y4f1q4q4i4K6t1#2b7U0m8Q4x3V1j5`.
其中第五部分
HCTF2017 babyprintf
正是此题,wp似乎更为简单。照此wp操作,唯一的问题是此wp中_IO_str_jumps偏移可以直接搜索符号得到,但是2.23中运行并不可以。
好在又找到一篇wp:
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2018-12-28 11:46
被lacoucou编辑
,原因: 修改错字
|
|
|---|---|
