본문 바로가기
워게임/protostar

net1

알 수 없는 사용자 2015. 11. 4. 10:37

C:\Users\user>E:\pwnable\protostar\net1.py

쿸?



?장난삼아돌려봤는데 음 코드분석 귀찮다


(gdb) disas run

Dump of assembler code for function run:

0x0804981a <run+0>: push   ebp

0x0804981b <run+1>: mov    ebp,esp

0x0804981d <run+3>: sub    esp,0x38

0x08049820 <run+6>: call   0x8048b10 <random@plt>


//이번에도 랜덤


0x08049825 <run+11>: mov    DWORD PTR [ebp-0x28],eax

0x08049828 <run+14>: mov    edx,DWORD PTR [ebp-0x28] //랜덤값은 edx에

0x0804982b <run+17>: mov    eax,0x8049d54 //%d

0x08049830 <run+22>: mov    DWORD PTR [esp+0x8],edx

0x08049834 <run+26>: mov    DWORD PTR [esp+0x4],eax

0x08049838 <run+30>: lea    eax,[ebp-0x24]

0x0804983b <run+33>: mov    DWORD PTR [esp],eax

0x0804983e <run+36>: call   0x8048a90 <sprintf@plt>


//sprintf(buffer(ebp-0x24), %d, random());

//출력해줌


0x08049843 <run+41>: mov    DWORD PTR [esp+0x8],0x4

0x0804984b <run+49>: lea    eax,[ebp-0x28]

0x0804984e <run+52>: mov    DWORD PTR [esp+0x4],eax

0x08049852 <run+56>: mov    DWORD PTR [esp],0x0

0x08049859 <run+63>: call   0x8048b50 <write@plt>


//write(0, random_val, 4);


0x0804985e <run+68>: cmp    eax,0x4

0x08049861 <run+71>: je     0x8049877 <run+93>

0x08049863 <run+73>: mov    DWORD PTR [esp+0x4],0x8049d57


(gdb) x/s 0x8049d57

0x8049d57: ":(\n"


0x0804986b <run+81>: mov    DWORD PTR [esp],0x1

0x08049872 <run+88>: call   0x8048c60 <errx@plt>


//write의 리턴 값(쓰기 성공한 길이를 리턴함)이 4인지 체크해서 같으면 에러 안띄움


0x08049877 <run+93>: mov    eax,ds:0x804af68 //stdin

0x0804987c <run+98>: mov    DWORD PTR [esp+0x8],eax

0x08049880 <run+102>: mov    DWORD PTR [esp+0x4],0xb

0x08049888 <run+110>: lea    eax,[ebp-0x18]

0x0804988b <run+113>: mov    DWORD PTR [esp],eax

0x0804988e <run+116>: call   0x8048b70 <fgets@plt>


//fgets(buffer2(ebp-0x18), 11, stdin);


0x08049893 <run+121>: test   eax,eax

0x08049895 <run+123>: jne    0x80498ab <run+145>

0x08049897 <run+125>: mov    DWORD PTR [esp+0x4],0x8049d57

0x0804989f <run+133>: mov    DWORD PTR [esp],0x1

0x080498a6 <run+140>: call   0x8048c60 <errx@plt>


0x080498ab <run+145>: mov    DWORD PTR [esp+0x4],0xd

0x080498b3 <run+153>: lea    eax,[ebp-0x18]

0x080498b6 <run+156>: mov    DWORD PTR [esp],eax

0x080498b9 <run+159>: call   0x8048b40 <strchr@plt>


//유저 입력 값에서 0xd를 찾음.


0x080498be <run+164>: mov    DWORD PTR [ebp-0xc],eax

0x080498c1 <run+167>: cmp    DWORD PTR [ebp-0xc],0x0

0x080498c5 <run+171>: je     0x80498cd <run+179>


//찾았으면 아래 진행


0x080498c7 <run+173>: mov    eax,DWORD PTR [ebp-0xc]

0x080498ca <run+176>: mov    BYTE PTR [eax],0x0


//0xd가 있던 위치에 null 넣음


0x080498cd <run+179>: mov    DWORD PTR [esp+0x4],0xa

0x080498d5 <run+187>: lea    eax,[ebp-0x18]

0x080498d8 <run+190>: mov    DWORD PTR [esp],eax

0x080498db <run+193>: call   0x8048b40 <strchr@plt>


이번엔 0xa 찾음.


0x080498e0 <run+198>: mov    DWORD PTR [ebp-0xc],eax

0x080498e3 <run+201>: cmp    DWORD PTR [ebp-0xc],0x0

0x080498e7 <run+205>: je     0x80498ef <run+213>


0x080498e9 <run+207>: mov    eax,DWORD PTR [ebp-0xc]

0x080498ec <run+210>: mov    BYTE PTR [eax],0x0


//이번에도 0xa 있던 위치에 null 넣음


0x080498ef <run+213>: lea    eax,[ebp-0x18]

0x080498f2 <run+216>: mov    DWORD PTR [esp+0x4],eax

0x080498f6 <run+220>: lea    eax,[ebp-0x24]

0x080498f9 <run+223>: mov    DWORD PTR [esp],eax

0x080498fc <run+226>: call   0x8048d50 <strcmp@plt>


//유저 인풋(ebp-0x18)이랑 기존 버퍼에있던 값(ebp-0x24)를 비교함.


0x08049901 <run+231>: test   eax,eax

0x08049903 <run+233>: jne    0x8049913 <run+249>

0x08049905 <run+235>: mov    DWORD PTR [esp],0x8049d5b

0x0804990c <run+242>: call   0x8048cf0 <puts@plt>


(gdb) x/s 0x8049d5b

0x8049d5b: "you correctly sent the data"

같으면 이거 띄움


0x08049911 <run+247>: jmp    0x804991f <run+261>

0x08049913 <run+249>: mov    DWORD PTR [esp],0x8049d78

0x0804991a <run+256>: call   0x8048cf0 <puts@plt>


(gdb) x/s 0x8049d78

0x8049d78: "you didn't send the data properly"

그거아냐


0x0804991f <run+261>: leave  

0x08049920 <run+262>: ret    

End of assembler dump.


뭐 0d0a만 없애는거니까 개행 그런거 다 없애주는것같네


strcmp니까 string형식으로 보내줘야하고 random값은 int니까 int로 받아와서 string으로 보내줘야함.


import socket, struct


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(('192.168.40.141', 2998))

data = struct.unpack('<I', s.recv(1024))[0]

s.send(str(data))

print s.recv(1024)

s.close()


C:\Users\user>E:\pwnable\protostar\net1.py

you correctly sent the data


암튼 그냥 이렇게 풀 수 있음

'워게임 > protostar' 카테고리의 다른 글

net3  (0) 2015.11.04
net2  (0) 2015.11.04
net0  (0) 2015.11.04
format4  (0) 2015.11.03
format3  (0) 2015.11.03

'워게임/protostar' Related Articles

티스토리툴바