pwnable.kr-input

pwnable-input

涉及知识点:条件输入

题目描述

1
2
3
Mom? how can I pass my input to a computer program?

ssh input2@pwnable.kr -p2222 (pw:guest)

根据题目知道,这是一道关于输入的题目,同样,需要SSH远程登录。

题目分析

  1. 远程登录到input2用户,查看该用户下的文件,用ls命令,有input、input.c、flag三个文件
  2. 查看input.c源代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main(int argc, char* argv[], char* envp[]){
	printf("Welcome to pwnable.kr\n");
	printf("Let's see if you know how to give input to program\n");
	printf("Just give me correct inputs then you will get the flag :)\n");

	// argv
	if(argc != 100) return 0;
	if(strcmp(argv['A'],"\x00")) return 0;
	if(strcmp(argv['B'],"\x20\x0a\x0d")) return 0;
	printf("Stage 1 clear!\n");	

	// stdio
	char buf[4];
	read(0, buf, 4);
	if(memcmp(buf, "\x00\x0a\x00\xff", 4)) return 0;
	read(2, buf, 4);
        if(memcmp(buf, "\x00\x0a\x02\xff", 4)) return 0;
	printf("Stage 2 clear!\n");
	
	// env
	if(strcmp("\xca\xfe\xba\xbe", getenv("\xde\xad\xbe\xef"))) return 0;
	printf("Stage 3 clear!\n");

	// file
	FILE* fp = fopen("\x0a", "r");
	if(!fp) return 0;
	if( fread(buf, 4, 1, fp)!=1 ) return 0;
	if( memcmp(buf, "\x00\x00\x00\x00", 4) ) return 0;
	fclose(fp);
	printf("Stage 4 clear!\n");	

	// network
	int sd, cd;
	struct sockaddr_in saddr, caddr;
	sd = socket(AF_INET, SOCK_STREAM, 0);
	if(sd == -1){
		printf("socket error, tell admin\n");
		return 0;
	}
	saddr.sin_family = AF_INET;
	saddr.sin_addr.s_addr = INADDR_ANY;
	saddr.sin_port = htons( atoi(argv['C']) );
	if(bind(sd, (struct sockaddr*)&saddr, sizeof(saddr)) < 0){
		printf("bind error, use another port\n");
    		return 1;
	}
	listen(sd, 1);
	int c = sizeof(struct sockaddr_in);
	cd = accept(sd, (struct sockaddr *)&caddr, (socklen_t*)&c);
	if(cd < 0){
		printf("accept error, tell admin\n");
		return 0;
	}
	if( recv(cd, buf, 4, 0) != 4 ) return 0;
	if(memcmp(buf, "\xde\xad\xbe\xef", 4)) return 0;
	printf("Stage 5 clear!\n");

	// here's your flag
	system("/bin/cat flag");	
	return 0;
}
  1. 查看main函数的反汇编代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
400954:	55                   	push   %rbp
  400955:	48 89 e5             	mov    %rsp,%rbp
  400958:	48 83 ec 70          	sub    $0x70,%rsp
  40095c:	89 7d ac             	mov    %edi,-0x54(%rbp)
  40095f:	48 89 75 a0          	mov    %rsi,-0x60(%rbp)
  400963:	48 89 55 98          	mov    %rdx,-0x68(%rbp)
  400967:	64 48 8b 04 25 28 00 	mov    %fs:0x28,%rax
  40096e:	00 00 
  400970:	48 89 45 f8          	mov    %rax,-0x8(%rbp)
  400974:	31 c0                	xor    %eax,%eax
  400976:	bf a0 0d 40 00       	mov    $0x400da0,%edi
  40097b:	e8 00 fe ff ff       	callq  400780 <puts@plt>
  400980:	bf b8 0d 40 00       	mov    $0x400db8,%edi
  400985:	e8 f6 fd ff ff       	callq  400780 <puts@plt>
  40098a:	bf f0 0d 40 00       	mov    $0x400df0,%edi
  40098f:	e8 ec fd ff ff       	callq  400780 <puts@plt>
  400994:	83 7d ac 64          	cmpl   $0x64,-0x54(%rbp)
  400998:	74 0a                	je     4009a4 <main+0x50>
  40099a:	b8 00 00 00 00       	mov    $0x0,%eax
  40099f:	e9 f6 02 00 00       	jmpq   400c9a <main+0x346>
  4009a4:	48 8b 45 a0          	mov    -0x60(%rbp),%rax
  4009a8:	48 05 08 02 00 00    	add    $0x208,%rax
  4009ae:	48 8b 00             	mov    (%rax),%rax
  4009b1:	0f b6 00             	movzbl (%rax),%eax
  4009b4:	84 c0                	test   %al,%al
  4009b6:	74 0a                	je     4009c2 <main+0x6e>
  4009b8:	b8 00 00 00 00       	mov    $0x0,%eax
  4009bd:	e9 d8 02 00 00       	jmpq   400c9a <main+0x346>
  4009c2:	48 8b 45 a0          	mov    -0x60(%rbp),%rax
  4009c6:	48 05 10 02 00 00    	add    $0x210,%rax
  4009cc:	48 8b 00             	mov    (%rax),%rax
  4009cf:	48 89 c2             	mov    %rax,%rdx
  4009d2:	b8 2a 0e 40 00       	mov    $0x400e2a,%eax
  4009d7:	b9 04 00 00 00       	mov    $0x4,%ecx
  4009dc:	48 89 d6             	mov    %rdx,%rsi
  4009df:	48 89 c7             	mov    %rax,%rdi
  4009e2:	f3 a6                	repz cmpsb %es:(%rdi),%ds:(%rsi)
  4009e4:	0f 97 c2             	seta   %dl
  4009e7:	0f 92 c0             	setb   %al
  4009ea:	89 d1                	mov    %edx,%ecx
  4009ec:	28 c1                	sub    %al,%cl
  4009ee:	89 c8                	mov    %ecx,%eax
  4009f0:	0f be c0             	movsbl %al,%eax
  4009f3:	85 c0                	test   %eax,%eax
  4009f5:	74 0a                	je     400a01 <main+0xad>
  4009f7:	b8 00 00 00 00       	mov    $0x0,%eax
  4009fc:	e9 99 02 00 00       	jmpq   400c9a <main+0x346>
  400a01:	bf 2e 0e 40 00       	mov    $0x400e2e,%edi
  400a06:	e8 75 fd ff ff       	callq  400780 <puts@plt>
  400a0b:	48 8d 45 f0          	lea    -0x10(%rbp),%rax
  400a0f:	ba 04 00 00 00       	mov    $0x4,%edx
  400a14:	48 89 c6             	mov    %rax,%rsi
  400a17:	bf 00 00 00 00       	mov    $0x0,%edi
  400a1c:	b8 00 00 00 00       	mov    $0x0,%eax
  400a21:	e8 ba fd ff ff       	callq  4007e0 <read@plt>
  400a26:	48 8d 45 f0          	lea    -0x10(%rbp),%rax
  400a2a:	ba 04 00 00 00       	mov    $0x4,%edx
  400a2f:	be 3d 0e 40 00       	mov    $0x400e3d,%esi
  400a34:	48 89 c7             	mov    %rax,%rdi
  400a37:	e8 c4 fd ff ff       	callq  400800 <memcmp@plt>
  400a3c:	85 c0                	test   %eax,%eax
  400a3e:	74 0a                	je     400a4a <main+0xf6>
  400a40:	b8 00 00 00 00       	mov    $0x0,%eax
  400a45:	e9 50 02 00 00       	jmpq   400c9a <main+0x346>
  400a4a:	48 8d 45 f0          	lea    -0x10(%rbp),%rax
  400a4e:	ba 04 00 00 00       	mov    $0x4,%edx
  400a53:	48 89 c6             	mov    %rax,%rsi
  400a56:	bf 02 00 00 00       	mov    $0x2,%edi
  400a5b:	b8 00 00 00 00       	mov    $0x0,%eax
  400a60:	e8 7b fd ff ff       	callq  4007e0 <read@plt>
  400a65:	48 8d 45 f0          	lea    -0x10(%rbp),%rax
  400a69:	ba 04 00 00 00       	mov    $0x4,%edx
  400a6e:	be 42 0e 40 00       	mov    $0x400e42,%esi
  400a73:	48 89 c7             	mov    %rax,%rdi
  400a76:	e8 85 fd ff ff       	callq  400800 <memcmp@plt>
  400a7b:	85 c0                	test   %eax,%eax
  400a7d:	74 0a                	je     400a89 <main+0x135>
  400a7f:	b8 00 00 00 00       	mov    $0x0,%eax
  400a84:	e9 11 02 00 00       	jmpq   400c9a <main+0x346>
  400a89:	bf 47 0e 40 00       	mov    $0x400e47,%edi
  400a8e:	e8 ed fc ff ff       	callq  400780 <puts@plt>
  400a93:	bf 56 0e 40 00       	mov    $0x400e56,%edi
  400a98:	e8 c3 fc ff ff       	callq  400760 <getenv@plt>
  400a9d:	ba 5b 0e 40 00       	mov    $0x400e5b,%edx
  400aa2:	b9 05 00 00 00       	mov    $0x5,%ecx
  400aa7:	48 89 d6             	mov    %rdx,%rsi
  400aaa:	48 89 c7             	mov    %rax,%rdi
  400aad:	f3 a6                	repz cmpsb %es:(%rdi),%ds:(%rsi)
  400aaf:	0f 97 c2             	seta   %dl
  400ab2:	0f 92 c0             	setb   %al
  400ab5:	89 d1                	mov    %edx,%ecx
  400ab7:	28 c1                	sub    %al,%cl
  400ab9:	89 c8                	mov    %ecx,%eax
  400abb:	0f be c0             	movsbl %al,%eax
  400abe:	85 c0                	test   %eax,%eax
  400ac0:	74 0a                	je     400acc <main+0x178>
  400ac2:	b8 00 00 00 00       	mov    $0x0,%eax
  400ac7:	e9 ce 01 00 00       	jmpq   400c9a <main+0x346>
  400acc:	bf 60 0e 40 00       	mov    $0x400e60,%edi
  400ad1:	e8 aa fc ff ff       	callq  400780 <puts@plt>
  400ad6:	ba 6f 0e 40 00       	mov    $0x400e6f,%edx
  400adb:	b8 71 0e 40 00       	mov    $0x400e71,%eax
  400ae0:	48 89 d6             	mov    %rdx,%rsi
  400ae3:	48 89 c7             	mov    %rax,%rdi
  400ae6:	e8 45 fd ff ff       	callq  400830 <fopen@plt>
  400aeb:	48 89 45 b8          	mov    %rax,-0x48(%rbp)
  400aef:	48 83 7d b8 00       	cmpq   $0x0,-0x48(%rbp)
  400af4:	75 0a                	jne    400b00 <main+0x1ac>
  400af6:	b8 00 00 00 00       	mov    $0x0,%eax
  400afb:	e9 9a 01 00 00       	jmpq   400c9a <main+0x346>
  400b00:	48 8d 45 f0          	lea    -0x10(%rbp),%rax
  400b04:	48 8b 55 b8          	mov    -0x48(%rbp),%rdx
  400b08:	48 89 d1             	mov    %rdx,%rcx
  400b0b:	ba 01 00 00 00       	mov    $0x1,%edx
  400b10:	be 04 00 00 00       	mov    $0x4,%esi
  400b15:	48 89 c7             	mov    %rax,%rdi
  400b18:	e8 73 fc ff ff       	callq  400790 <fread@plt>
  400b1d:	48 83 f8 01          	cmp    $0x1,%rax
  400b21:	74 0a                	je     400b2d <main+0x1d9>
  400b23:	b8 00 00 00 00       	mov    $0x0,%eax
  400b28:	e9 6d 01 00 00       	jmpq   400c9a <main+0x346>
  400b2d:	48 8d 45 f0          	lea    -0x10(%rbp),%rax
  400b31:	ba 04 00 00 00       	mov    $0x4,%edx
  400b36:	be 73 0e 40 00       	mov    $0x400e73,%esi
  400b3b:	48 89 c7             	mov    %rax,%rdi
  400b3e:	e8 bd fc ff ff       	callq  400800 <memcmp@plt>
  400b43:	85 c0                	test   %eax,%eax
  400b45:	74 0a                	je     400b51 <main+0x1fd>
  400b47:	b8 00 00 00 00       	mov    $0x0,%eax
  400b4c:	e9 49 01 00 00       	jmpq   400c9a <main+0x346>
  400b51:	48 8b 45 b8          	mov    -0x48(%rbp),%rax
  400b55:	48 89 c7             	mov    %rax,%rdi
  400b58:	e8 43 fc ff ff       	callq  4007a0 <fclose@plt>
  400b5d:	bf 78 0e 40 00       	mov    $0x400e78,%edi
  400b62:	e8 19 fc ff ff       	callq  400780 <puts@plt>
  400b67:	ba 00 00 00 00       	mov    $0x0,%edx
  400b6c:	be 01 00 00 00       	mov    $0x1,%esi
  400b71:	bf 02 00 00 00       	mov    $0x2,%edi
  400b76:	e8 e5 fc ff ff       	callq  400860 <socket@plt>
  400b7b:	89 45 c8             	mov    %eax,-0x38(%rbp)
  400b7e:	83 7d c8 ff          	cmpl   $0xffffffff,-0x38(%rbp)
  400b82:	75 14                	jne    400b98 <main+0x244>
  400b84:	bf 87 0e 40 00       	mov    $0x400e87,%edi
  400b89:	e8 f2 fb ff ff       	callq  400780 <puts@plt>
  400b8e:	b8 00 00 00 00       	mov    $0x0,%eax
  400b93:	e9 02 01 00 00       	jmpq   400c9a <main+0x346>
  400b98:	66 c7 45 d0 02 00    	movw   $0x2,-0x30(%rbp)
  400b9e:	c7 45 d4 00 00 00 00 	movl   $0x0,-0x2c(%rbp)
  400ba5:	48 8b 45 a0          	mov    -0x60(%rbp),%rax
  400ba9:	48 05 18 02 00 00    	add    $0x218,%rax
  400baf:	48 8b 00             	mov    (%rax),%rax
  400bb2:	48 89 c7             	mov    %rax,%rdi
  400bb5:	e8 96 fc ff ff       	callq  400850 <atoi@plt>
  400bba:	0f b7 c0             	movzwl %ax,%eax
  400bbd:	89 c7                	mov    %eax,%edi
  400bbf:	e8 0c fc ff ff       	callq  4007d0 <htons@plt>
  400bc4:	66 89 45 d2          	mov    %ax,-0x2e(%rbp)
  400bc8:	48 8d 4d d0          	lea    -0x30(%rbp),%rcx
  400bcc:	8b 45 c8             	mov    -0x38(%rbp),%eax
  400bcf:	ba 10 00 00 00       	mov    $0x10,%edx
  400bd4:	48 89 ce             	mov    %rcx,%rsi
  400bd7:	89 c7                	mov    %eax,%edi
  400bd9:	e8 42 fc ff ff       	callq  400820 <bind@plt>
  400bde:	85 c0                	test   %eax,%eax
  400be0:	79 14                	jns    400bf6 <main+0x2a2>
  400be2:	bf a0 0e 40 00       	mov    $0x400ea0,%edi
  400be7:	e8 94 fb ff ff       	callq  400780 <puts@plt>
  400bec:	b8 01 00 00 00       	mov    $0x1,%eax
  400bf1:	e9 a4 00 00 00       	jmpq   400c9a <main+0x346>
  400bf6:	8b 45 c8             	mov    -0x38(%rbp),%eax
  400bf9:	be 01 00 00 00       	mov    $0x1,%esi
  400bfe:	89 c7                	mov    %eax,%edi
  400c00:	e8 0b fc ff ff       	callq  400810 <listen@plt>
  400c05:	c7 45 c4 10 00 00 00 	movl   $0x10,-0x3c(%rbp)
  400c0c:	48 8d 55 c4          	lea    -0x3c(%rbp),%rdx
  400c10:	48 8d 4d e0          	lea    -0x20(%rbp),%rcx
  400c14:	8b 45 c8             	mov    -0x38(%rbp),%eax
  400c17:	48 89 ce             	mov    %rcx,%rsi
  400c1a:	89 c7                	mov    %eax,%edi
  400c1c:	e8 1f fc ff ff       	callq  400840 <accept@plt>
  400c21:	89 45 cc             	mov    %eax,-0x34(%rbp)
  400c24:	83 7d cc 00          	cmpl   $0x0,-0x34(%rbp)
  400c28:	79 11                	jns    400c3b <main+0x2e7>
  400c2a:	bf bd 0e 40 00       	mov    $0x400ebd,%edi
  400c2f:	e8 4c fb ff ff       	callq  400780 <puts@plt>
  400c34:	b8 00 00 00 00       	mov    $0x0,%eax
  400c39:	eb 5f                	jmp    400c9a <main+0x346>
  400c3b:	48 8d 75 f0          	lea    -0x10(%rbp),%rsi
  400c3f:	8b 45 cc             	mov    -0x34(%rbp),%eax
  400c42:	b9 00 00 00 00       	mov    $0x0,%ecx
  400c47:	ba 04 00 00 00       	mov    $0x4,%edx
  400c4c:	89 c7                	mov    %eax,%edi
  400c4e:	e8 1d fb ff ff       	callq  400770 <recv@plt>
  400c53:	48 83 f8 04          	cmp    $0x4,%rax
  400c57:	74 07                	je     400c60 <main+0x30c>
  400c59:	b8 00 00 00 00       	mov    $0x0,%eax
  400c5e:	eb 3a                	jmp    400c9a <main+0x346>
  400c60:	48 8d 45 f0          	lea    -0x10(%rbp),%rax
  400c64:	ba 04 00 00 00       	mov    $0x4,%edx
  400c69:	be 56 0e 40 00       	mov    $0x400e56,%esi
  400c6e:	48 89 c7             	mov    %rax,%rdi
  400c71:	e8 8a fb ff ff       	callq  400800 <memcmp@plt>
  400c76:	85 c0                	test   %eax,%eax
  400c78:	74 07                	je     400c81 <main+0x32d>
  400c7a:	b8 00 00 00 00       	mov    $0x0,%eax
  400c7f:	eb 19                	jmp    400c9a <main+0x346>
  400c81:	bf d6 0e 40 00       	mov    $0x400ed6,%edi
  400c86:	e8 f5 fa ff ff       	callq  400780 <puts@plt>
  400c8b:	bf e5 0e 40 00       	mov    $0x400ee5,%edi
  400c90:	e8 2b fb ff ff       	callq  4007c0 <system@plt>
  400c95:	b8 00 00 00 00       	mov    $0x0,%eax
  400c9a:	48 8b 75 f8          	mov    -0x8(%rbp),%rsi
  400c9e:	64 48 33 34 25 28 00 	xor    %fs:0x28,%rsi
  400ca5:	00 00 
  400ca7:	74 05                	je     400cae <main+0x35a>
  400ca9:	e8 02 fb ff ff       	callq  4007b0 <__stack_chk_fail@plt>
  400cae:	c9                   	leaveq 
  400caf:	c3                   	retq

本文标题:pwnable.kr-input

文章作者:HANqd

发布时间:2019-05-26, 10:16:43

最后更新:2019-07-01, 19:59:31

原始链接:https://hanqd.github.io/2019/05/26/pwnable input/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录
  1. 1. pwnable-input
    1. 1.1. 题目描述
    2. 1.2. 题目分析