pwnable.kr-collision -Writeup

bof

html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,embed,figure,figcaption,footer,header,hgroup,menu,nav,output,ruby,section,summary,time,mark,audio,video { margin: 0; padding: 0; border: 0 }
body { font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 14px; line-height: 1.6; color: #333; background-color: #fff; padding: 20px; max-width: 960px; margin: 0 auto }
body>*:first-child { margin-top: 0 !important }
body>*:last-child { margin-bottom: 0 !important }
p,blockquote,ul,ol,dl,table,pre { margin: 15px 0 }
h1,h2,h3,h4,h5,h6 { margin: 20px 0 10px; padding: 0; font-weight: bold }
h1 tt,h1 code,h2 tt,h2 code,h3 tt,h3 code,h4 tt,h4 code,h5 tt,h5 code,h6 tt,h6 code { font-size: inherit }
h1 { font-size: 28px; color: #000 }
h2 { font-size: 24px; border-bottom: 1px solid #ccc; color: #000 }
h3 { font-size: 18px }
h4 { font-size: 16px }
h5 { font-size: 14px }
h6 { color: #777; font-size: 14px }
body>h2:first-child,body>h1:first-child,body>h1:first-child+h2,body>h3:first-child,body>h4:first-child,body>h5:first-child,body>h6:first-child { margin-top: 0; padding-top: 0 }
a:first-child h1,a:first-child h2,a:first-child h3,a:first-child h4,a:first-child h5,a:first-child h6 { margin-top: 0; padding-top: 0 }
h1+p,h2+p,h3+p,h4+p,h5+p,h6+p { margin-top: 10px }
a { color: #4183C4; text-decoration: none }
a:hover { text-decoration: underline }
ul,ol { padding-left: 30px }
ul li>:first-child,ol li>:first-child,ul li ul:first-of-type,ol li ol:first-of-type,ul li ol:first-of-type,ol li ul:first-of-type { margin-top: 0px }
ul ul,ul ol,ol ol,ol ul { margin-bottom: 0 }
dl { padding: 0 }
dl dt { font-size: 14px; font-weight: bold; font-style: italic; padding: 0; margin: 15px 0 5px }
dl dt:first-child { padding: 0 }
dl dt>:first-child { margin-top: 0px }
dl dt>:last-child { margin-bottom: 0px }
dl dd { margin: 0 0 15px; padding: 0 15px }
dl dd>:first-child { margin-top: 0px }
dl dd>:last-child { margin-bottom: 0px }
pre,code,tt { font-size: 12px; font-family: Consolas, "Liberation Mono", Courier, monospace }
code,tt { margin: 0 0px; padding: 0px 0px; white-space: nowrap; border: 1px solid #eaeaea; background-color: #f8f8f8 }
pre>code { margin: 0; padding: 0; white-space: pre; border: none; background: transparent }
pre { background-color: #f8f8f8; border: 1px solid #ccc; font-size: 13px; line-height: 19px; overflow: auto; padding: 6px 10px }
pre code,pre tt { background-color: transparent; border: none }
kbd { background-color: #DDDDDD; background-image: linear-gradient(#F1F1F1, #DDDDDD); background-repeat: repeat-x; border-color: #DDDDDD #CCCCCC #CCCCCC #DDDDDD; border-style: solid; border-width: 1px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; line-height: 10px; padding: 1px 4px }
blockquote { border-left: 4px solid #DDD; padding: 0 15px; color: #777 }
blockquote>:first-child { margin-top: 0px }
blockquote>:last-child { margin-bottom: 0px }
hr { clear: both; margin: 15px 0; height: 0px; overflow: hidden; border: none; background: transparent; border-bottom: 4px solid #ddd; padding: 0 }
table th { font-weight: bold }
table th,table td { border: 1px solid #ccc; padding: 6px 13px }
table tr { border-top: 1px solid #ccc; background-color: #fff }
table tr:nth-child(2n) { background-color: #f8f8f8 }
img { max-width: 100% }
.highlight { background: #ffffff }
.highlight .c { color: #999988; font-style: italic }
.highlight .err { color: #a61717; background-color: #e3d2d2 }
.highlight .k { font-weight: bold }
.highlight .o { font-weight: bold }
.highlight .cm { color: #999988; font-style: italic }
.highlight .cp { color: #999999; font-weight: bold }
.highlight .c1 { color: #999988; font-style: italic }
.highlight .cs { color: #999999; font-weight: bold; font-style: italic }
.highlight .gd { color: #000000; background-color: #ffdddd }
.highlight .gd .x { color: #000000; background-color: #ffaaaa }
.highlight .ge { font-style: italic }
.highlight .gr { color: #aa0000 }
.highlight .gh { color: #999999 }
.highlight .gi { color: #000000; background-color: #ddffdd }
.highlight .gi .x { color: #000000; background-color: #aaffaa }
.highlight .go { color: #888888 }
.highlight .gp { color: #555555 }
.highlight .gs { font-weight: bold }
.highlight .gu { color: #aaaaaa }
.highlight .gt { color: #aa0000 }
.highlight .kc { font-weight: bold }
.highlight .kd { font-weight: bold }
.highlight .kp { font-weight: bold }
.highlight .kr { font-weight: bold }
.highlight .kt { color: #445588; font-weight: bold }
.highlight .m { color: #009999 }
.highlight .s { color: #d14 }
.highlight .na { color: #008080 }
.highlight .nb { color: #0086B3 }
.highlight .nc { color: #445588; font-weight: bold }
.highlight .no { color: #008080 }
.highlight .ni { color: #800080 }
.highlight .ne { color: #990000; font-weight: bold }
.highlight .nf { color: #990000; font-weight: bold }
.highlight .nn { color: #555555 }
.highlight .nt { color: #000080 }
.highlight .nv { color: #008080 }
.highlight .ow { font-weight: bold }
.highlight .w { color: #bbbbbb }
.highlight .mf { color: #009999 }
.highlight .mh { color: #009999 }
.highlight .mi { color: #009999 }
.highlight .mo { color: #009999 }
.highlight .sb { color: #d14 }
.highlight .sc { color: #d14 }
.highlight .sd { color: #d14 }
.highlight .s2 { color: #d14 }
.highlight .se { color: #d14 }
.highlight .sh { color: #d14 }
.highlight .si { color: #d14 }
.highlight .sx { color: #d14 }
.highlight .sr { color: #009926 }
.highlight .s1 { color: #d14 }
.highlight .ss { color: #990073 }
.highlight .bp { color: #999999 }
.highlight .vc { color: #008080 }
.highlight .vg { color: #008080 }
.highlight .vi { color: #008080 }
.highlight .il { color: #009999 }
.pl-c { color: #969896 }
.pl-c1,.pl-mdh,.pl-mm,.pl-mp,.pl-mr,.pl-s1 .pl-v,.pl-s3,.pl-sc,.pl-sv { color: #0086b3 }
.pl-e,.pl-en { color: #795da3 }
.pl-s1 .pl-s2,.pl-smi,.pl-smp,.pl-stj,.pl-vo,.pl-vpf { color: #333 }
.pl-ent { color: #63a35c }
.pl-k,.pl-s,.pl-st { color: #a71d5d }
.pl-pds,.pl-s1,.pl-s1 .pl-pse .pl-s2,.pl-sr,.pl-sr .pl-cce,.pl-sr .pl-sra,.pl-sr .pl-sre,.pl-src,.pl-v { color: #df5000 }
.pl-id { color: #b52a1d }
.pl-ii { background-color: #b52a1d; color: #f8f8f8 }
.pl-sr .pl-cce { color: #63a35c; font-weight: bold }
.pl-ml { color: #693a17 }
.pl-mh,.pl-mh .pl-en,.pl-ms { color: #1d3e81; font-weight: bold }
.pl-mq { color: #008080 }
.pl-mi { color: #333; font-style: italic }
.pl-mb { color: #333; font-weight: bold }
.pl-md,.pl-mdhf { background-color: #ffecec; color: #bd2c00 }
.pl-mdht,.pl-mi1 { background-color: #eaffea; color: #55a532 }
.pl-mdr { color: #795da3; font-weight: bold }
.pl-mo { color: #1d3e81 }
.task-list { padding-left: 10px; margin-bottom: 0 }
.task-list li { margin-left: 20px }
.task-list-item { list-style-type: none; padding-left: 10px }
.task-list-item label { font-weight: 400 }
.task-list-item.enabled label { cursor: pointer }
.task-list-item+.task-list-item { margin-top: 3px }
.task-list-item-checkbox { display: inline-block; margin-left: -20px; margin-right: 3px; vertical-align: 1px }

pwnable.kr-collision -Writeup

同第一题fd,
ssh连接,ls -l查看文件, cat col.c得到代码如下

 1 #include <stdio.h>
 2 #include <string.h>
 3 unsigned long hashcode = 0x21DD09EC;
 4 unsigned long check_password(const char* p){
 5     int* ip = (int*)p;
 6     int i;
 7     int res=0;
 8     for(i=0; i<5; i++){
 9         res += ip[i];
10     }
11     return res;
12 }
13
14 int main(int argc, char* argv[]){
15     if(argc<2){
16         printf("usage : %s [passcode]\n", argv[0]);
17         return 0;
18     }
19     if(strlen(argv[1]) != 20){
20         printf("passcode length should be 20 bytes\n");
21         return 0;
22     }
23
24     if(hashcode == check_password( argv[1] )){
25         system("/bin/cat flag");
26         return 0;
27     }
28     else
29         printf("wrong passcode.\n");
30     return 0;
31 }
  • 分析过程如下:
  • 分析check_password()函数,当strlen(argv[1])==20时,要保证check_password()函数的返回值为0x21DD09EC;

    经分析,check_password()函数的作用为将长度为20的argv[1]分为5段,每段有4个字符,这些字符是以小端的形式存储的,以int *指针的形式每次读取4个字符,将5次读取的值求和

  • 最简单的想法是前16位均为\x00,后4位为\xEC\x09\xDD\x21,但经过测试答案错误,查表得\x09为制表符tab,会截断输入,同时\x00也会截断输入;
  • 因此构造另一种输入‘\x01‘*16+‘\xE8\x05\xD9\x1D‘,分析过程如下:
  • 则可构造语句

    python -c "print ‘\x01‘*16+‘\xE8\x05\xD9\x1D‘"

\x和0x表示16进制的区别:

  • 运行shellcode,结果如下,flag为daddy! I just managed to create a hash collision :)

    2017-2-5 0:55;56
时间: 2024-08-24 06:07:00

pwnable.kr-collision -Writeup的相关文章

【LINUX】pwnable.kr cmd1 writeup

[email protected]:~$ ls cmd1  cmd1.c  flag [email protected]:~$ cat cmd1.c #include <stdio.h> #include <string.h> int filter(char* cmd){ int r=0; r += strstr(cmd, "flag")!=0; r += strstr(cmd, "sh")!=0; r += strstr(cmd, &quo

【PWN】pwnable.kr echo1 writeup

#Exploit for [email protected] #@Windcarp 2015.07.23 from pwn import * #init context(arch = 'amd64', os = 'linux') local=False if local: p = process("./echo1") libc = ELF("/lib/x86_64-linux-gnu/libc-2.19.so") else: p = remote("pwn

【PWN】Pwnable.kr echo2 writeup

依旧是基本技巧的考察,shellcode的寻找着实费了一番周折,然后就是FSB和UAF漏洞的利用,很好的一题! #Exploit for [email protected] #@Windcarp 2015.07.23 from pwn import * #init context(arch = 'amd64', os = 'linux') local=False if local: p = process("./echo2") libc = ELF("/lib/x86_64-

【LINUX】pwnable.kr cmd2 writeup

试了一晚上终于试出来了....真心曲折,考察linux脚本. 里面需要注意的点如下: 1. Linux里面的sh bash是不一样的,在不同系统上的存在也有不同.sh是为Unix所设计,讲究精简,里面比dash少一些功能,导致调试脚本时很多错了不知道怎么改,一步一步试出来的: 2. 重点在于构造“/”这个东西 3. 到此Toodler's Bottle已经刷完了,我的教程也写到了Lesson 3,接下来的题目writeup很少,我自己做也比较困难,可能转Protostar训练了吧? 前面进展缓慢

pwnable.kr 第二题 collision

题目地址 http://pwnable.kr/play.php 首先登录查看文件 分析代码,目的输出flag 显而易见,要让flag输出 就得让check_password这个函数返回一个0x21DD09EC 看提示可以得出要输一个20字节的字符 int占四个字节 char占一个字节 check_password 转换时候将20个char 四个一组转为int并相加 用python自带的计算机简单算一下 我们需要输入四个0x6c5cec8和一个0x6c5cecc 使用万能的python,尝试了多次

【pwnable.kr】bof

pwnable从入门到放弃,第三题. Download : http://pwnable.kr/bin/bofDownload : http://pwnable.kr/bin/bof.c Running at : nc pwnable.kr 9000 很简单的一道栈溢出题目. 依然先读代码: #include <stdio.h> #include <string.h> #include <stdlib.h> void func(int key){ char overfl

【pwnable.kr】leg

pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.cDownload : http://pwnable.kr/bin/leg.asm ssh [email protected] -p2222 (pw:guest) 先下载这两个文件:leg.c #include <stdio.h> #include <fcntl.h> int key1(){ asm("mov r3, pc\n"); } int key2

【pwnable.kr】 asm

一道写shellcode的题目, #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/mman.h> #include <seccomp.h> #include <sys/prctl.h> #include <fcntl.h> #include <unistd.h> #define LENGTH 128 void sa

【pwnable.kr】 codemap

pwnable新的一题. download: http://pwnable.kr/bin/codemap.exe ssh [email protected] -p2222 (pw:guest) 这道题虽然是在pwnable下,但是是一道逆向题... //前web狗膜一发二进制大佬 根据提示,需要查看 0x403E65 运行时,寄存器 EAX,EBX 的内容. 先不考虑运行的内容,先看程序.首先这个程序没有加壳,直接可以用ida查看内容. 然后可以看到程序的框架,在main函数中,默默按下F5..

pwnable.kr的passcode

前段时间找到一个练习pwn的网站,pwnable.kr 这里记录其中的passcode的做题过程,给自己加深印象. 废话不多说了,看一下题目, 看到题目,就ssh连接进去,就看到三个文件如下 看了一下我们的用户名,并不能直接查看flag这个文件.查看passcode.c的源码看一下 #include <stdio.h> #include <stdlib.h> void login(){ int passcode1; int passcode2; printf("enter