First let's review the following code:
#include <fcntl.h>
#include <iostream>
#include <cstring>
#include <cstdlib>
ihc童鞋@提不起劲 ihciah
ihciah
/ FDUNetworkLogin
Last active
August 28, 2017 17:26
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| #!/usr/bin/env python | |
| # | |
| #__author__= 'ihciah@gmail.com' | |
| import urllib,urllib2 | |
| def login(username, password): | |
| url="http://10.108.255.249/include/auth_action.php" | |
| data={"username": username, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # -*- coding: utf-8 -*- | |
| #过滤最近1月发帖并且12级的用户 | |
| import urllib,urllib2,re | |
| from multiprocessing import Pool | |
| from multiprocessing.dummy import Pool as ThreadPool | |
| URLBASE='http://tieba.baidu.com/f?kw=%E5%8D%8E%E4%B8%9C%E7%90%86%E5%B7%A5%E5%A4%A7%E5%AD%A6&ie=utf-8&pn=' | |
| result=set() | |
| realres=[] | |
| pool = ThreadPool(10) |
Load bf with IDA:
main:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax@4
(Too lazy to review lessons before exam... Load with IDA and found:
_BOOL4 __cdecl auth(int a1)
{
char v2; // [sp+14h] [bp-14h]@1
char *s2; // [sp+1Ch] [bp-Ch]@1Run the program and it crashed. Load it with gdb-peda, break at entry point and run:
0x8048054: pop eax
0x8048055: pop edx
0x8048056: mov edx,DWORD PTR [edx]
0x8048058: call edx
There are two ways to solve this problem. One is to pass the validation, and the other is to jump to execve. Since the first one is too time consuming, here I use the second one.
In function main, there is a alloca with random parameter, which will disturb the stack. So if we want to get information about the stack, we must leak it first.
In function fsb, there is a printf bug, and we can use %1$n to write any address. So we can just write an address, and use $ to get a reference, and we can write that address! However, all input is saved at .bss.
So we can consider another way. We can notice that the ebp is point to an old ebp, and we can control it.
This is a RPG that allow you to choose action and win the game. However, you cannot win this game unless using some tricks.
main:
puts("Welcome to Dragon Hunter!");
PlayGame();
At first glance, I thought there are 3 ways to exploit this problem, since it gives me 3 choices: BOF, FSB, UAF, however, the last two are not available.
In echo1, it calls get_input to input 128 input, but the buffer equals to bp-20h, so it can only save data with max length of 32.
Above the return address is the old rbp, so we can write 32 + 8 trash and an address to jump to to overflow it.
After searching with jmpcall si in peda, we found no result.
OlderNewer