First let's review the following code:
#include <fcntl.h>
#include <iostream>
#include <cstring>
#include <cstdlib>
# -*- coding: utf-8 -*- | |
#!/usr/bin/env python | |
# | |
#__author__= 'ihciah@gmail.com' | |
import urllib,urllib2 | |
def login(username, password): | |
url="http://10.108.255.249/include/auth_action.php" | |
data={"username": username, |
# -*- coding: utf-8 -*- | |
#过滤最近1月发帖并且12级的用户 | |
import urllib,urllib2,re | |
from multiprocessing import Pool | |
from multiprocessing.dummy import Pool as ThreadPool | |
URLBASE='http://tieba.baidu.com/f?kw=%E5%8D%8E%E4%B8%9C%E7%90%86%E5%B7%A5%E5%A4%A7%E5%AD%A6&ie=utf-8&pn=' | |
result=set() | |
realres=[] | |
pool = ThreadPool(10) |
First let's review the following code:
#include <fcntl.h>
#include <iostream>
#include <cstring>
#include <cstdlib>
Load bf
with IDA:
main:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int result; // eax@4
(Too lazy to review lessons before exam... Load with IDA and found:
_BOOL4 __cdecl auth(int a1)
{
char v2; // [sp+14h] [bp-14h]@1
char *s2; // [sp+1Ch] [bp-Ch]@1
Run the program and it crashed. Load it with gdb-peda, break at entry point and run:
0x8048054: pop eax
0x8048055: pop edx
0x8048056: mov edx,DWORD PTR [edx]
0x8048058: call edx
There are two ways to solve this problem. One is to pass the validation, and the other is to jump to execve
. Since the first one is too time consuming, here I use the second one.
In function main
, there is a alloca
with random parameter, which will disturb the stack. So if we want to get information about the stack, we must leak it first.
In function fsb
, there is a printf
bug, and we can use %1$n
to write any address. So we can just write an address, and use $
to get a reference, and we can write that address! However, all input is saved at .bss
.
So we can consider another way. We can notice that the ebp
is point to an old ebp
, and we can control it.
This is a RPG that allow you to choose action and win the game. However, you cannot win this game unless using some tricks.
main:
puts("Welcome to Dragon Hunter!");
PlayGame();
At first glance, I thought there are 3 ways to exploit this problem, since it gives me 3 choices: BOF
, FSB
, UAF
, however, the last two are not available.
In echo1
, it calls get_input
to input 128 input, but the buffer equals to bp-20h
, so it can only save data with max length of 32.
Above the return address is the old rbp
, so we can write 32 + 8
trash and an address to jump to to overflow it.
After searching with jmpcall si
in peda, we found no result.