©Jing0107 | Powered by LOFTER

Toddler's Bottle

0x1 [fd]

ssh fd@pwnable.kr -p2222 (pw:guest)

fd.c

#include <string.h>

char buf[32];

int main(int argc, char* argv[], char* envp[]){

if(argc<2)

{

    printf("pass argv[1] a number\n");

    return 0;

}

int fd = atoi( argv[1] ) - 0x1234;

int len = 0;

len = read(fd, buf, 32);

if(!strcmp("LETMEWIN\n", buf))

{

    printf("good job :)\n");

    system("/bin/cat flag");

exit(0);

}

printf("learn about Linux file IO\n");

return 0;

}

如果参数小于2时会输出 pass  argv[1]  a number

然而我们想让它执行的是/bin/cat flag

fd代表的是文件描述符,0-标准输入  1-标准输出  2-标准错误

使fd = 0  即argv=4660 相当于十六进制0x1234



参考:http://blog.csdn.net/cywosp/article/details/38965239


***********************************************************************


0x2 [collision]

ssh col@pwnable.kr -p2222 (pw:guest)

col.c

#include <stdio.h>

#include <string.h>

unsigned long hashcode = 0x21DD09EC;

unsigned long check_password(const char* p){

int* ip = (int*)p;

int i;

int res=0;

for(i=0; i<5; i++){

res += ip[i];

}

return res;

}


int main(int argc, char* argv[]){

if(argc<2){

printf("usage : %s [passcode]\n", argv[0]);

return 0;

}

if(strlen(argv[1]) != 20){

printf("passcode length should be 20 bytes\n");

return 0;

}


if(hashcode == check_password( argv[1] )){

system("/bin/cat flag");

return 0;

}

"\xc8\xce\xc5\x06"*4 + "\xcc\xce\xc5\x06= 0x21DD09EC

./col `python -c 'print "\xc8\xce\xc5\x06"*4 + "\xcc\xce\xc5\x06"'`




标签:pwn
评论

一天一天 在这里留下成长的脚印。。。