mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-10-19 01:12:52 +07:00
51 lines
1.4 KiB
Markdown
51 lines
1.4 KiB
Markdown
|
# 6.1 pwn hctf2016 brop
|
|||
|
|
|
|||
|
|
出题人在 github 上开源了代码,如下:
|
|||
|
|
```C
|
|||
|
|
#include <stdio.h>
|
|||
|
|
#include <unistd.h>
|
|||
|
|
#include <string.h>
|
|||
|
|
|
|||
|
|
int i;
|
|||
|
|
int check();
|
|||
|
|
|
|||
|
|
int main(void) {
|
|||
|
|
setbuf(stdin, NULL);
|
|||
|
|
setbuf(stdout, NULL);
|
|||
|
|
setbuf(stderr, NULL);
|
|||
|
|
|
|||
|
|
puts("WelCome my friend,Do you know password?");
|
|||
|
|
if(!check()) {
|
|||
|
|
puts("Do not dump my memory");
|
|||
|
|
} else {
|
|||
|
|
puts("No password, no game");
|
|||
|
|
}
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
int check() {
|
|||
|
|
char buf[50];
|
|||
|
|
read(STDIN_FILENO, buf, 1024);
|
|||
|
|
return strcmp(buf, "aslvkm;asd;alsfm;aoeim;wnv;lasdnvdljasd;flk");
|
|||
|
|
}
|
|||
|
|
```
|
|||
|
|
使用下面的语句编译,然后运行起来:
|
|||
|
|
```
|
|||
|
|
$ gcc -z noexecstack -fno-stack-protector -no-pie brop.c
|
|||
|
|
```
|
|||
|
|
checksec 如下:
|
|||
|
|
```
|
|||
|
|
$ checksec -f a.out
|
|||
|
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
|||
|
|
Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No 0 2 a.out
|
|||
|
|
```
|
|||
|
|
由于 socat 在程序崩溃时会断开连接,我们写一个小脚本,让程序在崩溃后立即重启,这样就模拟出了远程环境 `127.0.0.1:10001`:
|
|||
|
|
```bash
|
|||
|
|
#!/bin/sh
|
|||
|
|
while true; do
|
|||
|
|
num=`ps -ef | grep "socat" | grep -v "grep" | wc -l`
|
|||
|
|
if [ $num -lt 5 ]; then
|
|||
|
|
socat tcp4-listen:10001,reuseaddr,fork exec:./a.out &
|
|||
|
|
fi
|
|||
|
|
done
|
|||
|
|
```
|