码迷,mamicode.com
首页 > 其他好文 > 详细

pwnable.kr input解题记录

时间:2018-12-16 11:10:50      阅读:120      评论:0      收藏:0      [点我收藏+]

标签:读写   you   turned   区分   build   自己   stage   create   open   

pwnable input解题记录

给了源码如下:

#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"
#include "arpa/inet.h"

int main(){

    //stage argv
    char *argv[101] = {"/home/input2/input", [1 ... 99] = "A", NULL};
    argv[‘A‘] = "\x00";
    argv[‘B‘] = "\x20\x0a\x0d";
    argv[‘C‘] = "55555";

    //stage stdio
    int pipe2stdin[2] = {-1, -1};
    int pipe2stderr[2] = {-1, -1};
    pid_t childpid;

    //stage file
    FILE* fp = fopen("\x0a", "w");
    fwrite("\x00\x00\x00\x00", 4, 1, fp);
    fclose(fp);

    if(pipe(pipe2stdin) < 0 || pipe(pipe2stderr) < 0)
    {
        perror("Cannot create the pipe!");
        exit(1);
    }
    if((childpid = fork()) < 0)
    {
        perror("Cannot fork!");
        exit(1);
    }
    if(childpid == 0)
    {
        close(pipe2stdin[0]);  //close pipes of read
        close(pipe2stderr[0]);
        
        write(pipe2stdin[1], "\x00\x0a\x00\xff", 4);
        write(pipe2stderr[1], "\x00\x0a\x02\xff", 4);
    }
    else{
        close(pipe2stdin[1]); close(pipe2stderr[1]);   //close pipes of write
        dup2(pipe2stdin[0], 0); dup2(pipe2stderr[0], 2);
        close(pipe2stdin[0]); close(pipe2stderr[0]);
        
        //stage env
        char *envp[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe", NULL};
    
        execve("/home/input2/input", argv, envp);
    }
    sleep(2);
    int sockfd;
    struct sockaddr_in server;
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if(sockfd < 0){
        perror("Socket build error!");
        exit(1);
    }
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = inet_addr("127.0.0.1");
    server.sin_port = htons(55555);
    if(connect(sockfd, (struct sockaddr*)&server, sizeof(server)) < 0){
        perror("Connect error!");
        exit(1);
    }
    char buf[4] = "\xde\xad\xbe\xef";
    write(sockfd, buf, 4);
    close(sockfd);
    
    return 0;
}

是为了让解题者满足代码中所需要满足的条件,总共5个,分别包括:参数传递、标准输入输出、环境变量、文件读写以及网络通信方面。

1.argv

??参数第‘A‘‘B‘位分别为"\x00"和"\x20\x0a\x0d",也就是第65位和第66位(第0位为可执行文件的路径),但是‘\x00‘会截断。
??于是使用execve运行input文件,execve函数在unistd(unix standard)头文件中:

int execve(const char path, char const argv[], char *const envp[]);

以argv参数进行传递相应参数。

2.stdio

ssize_t read(int fildes, void *buf, size_t nbytes);

摘自 http://codewiki.wikidot.com/c:system-calls:read

Field Description
int fildes The file descriptor of where to read the input. You can either use a file descriptor obtained from the open system call, or you can use 0, 1, or 2, to refer to standard input, standard output, or standard error, respectively.
const void *buf A character array where the read content will be stored.
size_t nbytes The number of bytes to read before truncating the data. If the data to be read is smaller than nbytes, all data is saved in the buffer.
return value Returns the number of bytes that were read. If value is negative, then the system call returned an error.

??可以看到分别需要从stdinstderr读取相关的数据,但是stderr没法写,于是需要用到c中的叫做管道(pipe)的东西可用于子进程与父进程之间的通讯使用;于是子进程向缓冲区写数据,而父进程先将定义的相应缓冲区分别替换stdin和stderr,之后则可以从缓冲区进行读取。

3.env

??getenv函数获取系统中环境变量,这个同样以execve进行处理,其中的envp参数进行传递。

4.file

??常规操作,自己创建一个文件,然后写"\x00\x00\x00\x00"进去然后再读即可。

5.network

??是以传递的第C个参数作为监听端口,以及socket通信获取传来的消息,采用本地通信。socket网络编程网上一搜就出来的,其实百度百科说的还挺清楚的...中间需要sleep几秒等待接收信息的服务开启,然后传递信息。


代码整理:

#include "stdio.h"
#include "unistd.h"
#include "stdlib.h"
#include "arpa/inet.h"

int main(){

    //stage argv
    char *argv[101] = {"/home/input2/input", [1 ... 99] = "A", NULL};
    argv[‘A‘] = "\x00";
    argv[‘B‘] = "\x20\x0a\x0d";
    argv[‘C‘] = "55555";

    //stage stdio
    int pipe2stdin[2] = {-1, -1};
    int pipe2stderr[2] = {-1, -1};
    pid_t childpid;

    //stage file
    FILE* fp = fopen("\x0a", "w");
    fwrite("\x00\x00\x00\x00", 4, 1, fp);
    fclose(fp);

    if(pipe(pipe2stdin) < 0 || pipe(pipe2stderr) < 0)
    {
        perror("Cannot create the pipe!");
        exit(1);
    }
    if((childpid = fork()) < 0)
    {
        perror("Cannot fork!");
        exit(1);
    }
    if(childpid == 0) //child process 
    {
        close(pipe2stdin[0]);  //close pipes of read
        close(pipe2stderr[0]);
        
        write(pipe2stdin[1], "\x00\x0a\x00\xff", 4);
        write(pipe2stderr[1], "\x00\x0a\x02\xff", 4);
    }
    else{            //parent process
        close(pipe2stdin[1]); close(pipe2stderr[1]);   //close pipes of write
        dup2(pipe2stdin[0], 0); dup2(pipe2stderr[0], 2);    //change stdin and stderr 
        close(pipe2stdin[0]); close(pipe2stderr[0]);
        
        //stage env
        char *envp[2] = {"\xde\xad\xbe\xef=\xca\xfe\xba\xbe", NULL};
    
        execve("/home/input2/input", argv, envp);
    }
    sleep(2);
    int sockfd;
    struct sockaddr_in server;
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if(sockfd < 0){
        perror("Socket build error!");
        exit(1);
    }
    server.sin_family = AF_INET;
    server.sin_addr.s_addr = inet_addr("127.0.0.1");
    server.sin_port = htons(55555);
    if(connect(sockfd, (struct sockaddr*)&server, sizeof(server)) < 0){
        perror("Connect error!");
        exit(1);
    }
    char buf[4] = "\xde\xad\xbe\xef";
    write(sockfd, buf, 4);
    close(sockfd);
    
    return 0;
}

参考链接:https://werewblog.wordpress.com/2016/01/11/pwnable-kr-input/

pwnable.kr input解题记录

标签:读写   you   turned   区分   build   自己   stage   create   open   

原文地址:https://www.cnblogs.com/zUotTe0/p/10125533.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!