[Pwnable.kr] input
很麻烦的题目,execve传参和环境变量、文件描述符重定向、管道、socket等,没啥好说的。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
#include <stdio.h> #include <unistd.h> #include <sys/socket.h> #include <string.h> #include <arpa/inet.h> int main() { system("ln -s /home/input/flag ./flag"); // for stage 1 char* argv[101]; memset(argv, 0, sizeof(argv)); int i; for (i = 0; i < 100; i++) { argv[i] = "a"; } argv['A'] = "\x00"; argv['B'] = "\x20\x0a\x0d"; argv['C'] = "19696"; // this is prepared for stage 5 // for stage 3 char *env[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe"}; //for stage 4 FILE *fp; if ((fp = fopen("\x0a", "w")) == NULL) { printf("open file error\n"); return 0; } fwrite("\x00\x00\x00\x00", 4, 1, fp); fclose(fp); //for stage 2 int pipe0[2], pipe2[2]; if (pipe(pipe0) == -1 || pipe(pipe2) == -1) { printf("pipe error\n"); return 0; } if (!fork()) { dup2(pipe0[0], 0); dup2(pipe2[0], 2); execve("/home/input/input", argv, env); } else { // for stage 2 write(pipe0[1], "\x00\x0a\x00\xff", 4); write(pipe2[1], "\x00\x0a\x02\xff", 4); // for stage 5 sleep(5); struct sockaddr_in saddr; int sock = socket(AF_INET, SOCK_STREAM, 0); if (sock == -1) { printf("socket error\n"); return 0; } saddr.sin_family = AF_INET; saddr.sin_port = htons('a'); saddr.sin_addr.s_addr = inet_addr("localhost"); connect(sock, (struct sockaddr *)&saddr, sizeof(saddr)); send(sock, "\xde\xad\xbe\xef", 4, 0); } return 0; } |