[原创][writeup]CTFHUB-ret2VDSO
2023-3-11 15:22:56 Author: bbs.pediy.com(查看原文) 阅读量:15 收藏

.text:0000000000000A38     ; int __cdecl main(int argc, const char **argv, const char **envp)

.text:0000000000000A38     public main

.text:0000000000000A38     main proc near                          ; DATA XREF: _start+1D↑o

.text:0000000000000A38

.text:0000000000000A38     buf= byte ptr -50h

.text:0000000000000A38     choice= dword ptr -18h

.text:0000000000000A38     counter= dword ptr -14h

.text:0000000000000A38

.text:0000000000000A38     ; __unwind {

.text:0000000000000A38     push    rbp

.text:0000000000000A39     mov     rbp, rsp

.text:0000000000000A3C     push    rbx

.text:0000000000000A3D     sub     rsp, 48h

.text:0000000000000A41     ; 8:   setvbuf(_bss_start, 0LL, 2, 0LL);

.text:0000000000000A41     mov     rax, cs:__bss_start

.text:0000000000000A48     mov     ecx, 0                          ; n

.text:0000000000000A4D     mov     edx, 2                          ; modes

.text:0000000000000A52     mov     esi, 0                          ; buf

.text:0000000000000A57     mov     rdi, rax                        ; stream

.text:0000000000000A5A     call    _setvbuf

.text:0000000000000A5A

.text:0000000000000A5F     ; 9:   setvbuf(stdin, 0LL, 1, 0LL);

.text:0000000000000A5F     mov     rax, cs:[email protected]@GLIBC_2_2_5

.text:0000000000000A66     mov     ecx, 0                          ; n

.text:0000000000000A6B     mov     edx, 1                          ; modes

.text:0000000000000A70     mov     esi, 0                          ; buf

.text:0000000000000A75     mov     rdi, rax                        ; stream

.text:0000000000000A78     call    _setvbuf

.text:0000000000000A78

.text:0000000000000A7D     ; 10:   v8 = 2;

.text:0000000000000A7D     mov     [rbp+counter], 2

.text:0000000000000A84     jmp     loc_B10

.text:0000000000000A84

.text:0000000000000A89     ; ---------------------------------------------------------------------------

.text:0000000000000A89     ; 15:     choice = getInput();

.text:0000000000000A89

.text:0000000000000A89     loc_A89:                                ; CODE XREF: main+DC↓j

.text:0000000000000A89     mov     eax, 0

.text:0000000000000A8E     call    printMenu                       ; 打印菜单并获取用户输入数字

.text:0000000000000A8E                                             ; 1:getGift,判断用户输入和随机数是否相同

.text:0000000000000A8E                                             ; 2:overflow,栈溢出

.text:0000000000000A8E                                             ; 3:结束

.text:0000000000000A8E

.text:0000000000000A93     mov     [rbp+choice], eax

.text:0000000000000A96     ; 16:     if ( choice == 1 )

.text:0000000000000A96     cmp     [rbp+choice], 1

.text:0000000000000A9A     jnz     short loc_ADE

.text:0000000000000A9A

.text:0000000000000A9C     ; 18:       --v8;

.text:0000000000000A9C     sub     [rbp+counter], 1               

; ↓↓↓↓↓↓↓↓↓↓用户输入为1,getGift↓↓↓↓↓↓↓↓↓↓

.text:0000000000000AA0     ; 19:       puts("input num:");

.text:0000000000000AA0     lea     rdi, aInputNum                  ; "input num:"

.text:0000000000000AA7     call    _puts

.text:0000000000000AA7

.text:0000000000000AAC     ; 20:       seed = time(0LL);

.text:0000000000000AAC     mov     edi, 0                          ; timer

.text:0000000000000AB1     call    _time

.text:0000000000000AB1

.text:0000000000000AB6     ; 21:       srand(seed);

.text:0000000000000AB6     mov     edi, eax                        ; seed

.text:0000000000000AB8     call    _srand

.text:0000000000000AB8

.text:0000000000000ABD     ; 22:       inputNum = getInputNumber();

.text:0000000000000ABD     mov     eax, 0

.text:0000000000000AC2     call    getInputNumber

.text:0000000000000AC2

.text:0000000000000AC7     mov     ebx, eax

.text:0000000000000AC9     ; 23:       if ( inputNum == rand() )

.text:0000000000000AC9     call    _rand

.text:0000000000000AC9

.text:0000000000000ACE     cmp     ebx, eax

.text:0000000000000AD0     jnz     short loc_ADE

.text:0000000000000AD0

.text:0000000000000AD2     ;system("/bin/sh");getShell代码位于mainAD2处

.text:0000000000000AD2     lea     rdi, command                    ; "/bin/sh"

.text:0000000000000AD9     call    _system                        

; ↑↑↑↑↑↑↑↑↑↑↑用户输入为1:getGift↑↑↑↑↑↑↑↑↑↑↑↑↑

.text:0000000000000AD9

.text:0000000000000ADE     ; 26:     if ( choice == 2 )

.text:0000000000000ADE

.text:0000000000000ADE     loc_ADE:                                ; CODE XREF: main+62↑j

.text:0000000000000ADE                                             ; main+98↑j

.text:0000000000000ADE     cmp     [rbp+choice], 2

.text:0000000000000AE2     jnz     short loc_B0A                  

; ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓用户输入为2:overflow↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓

.text:0000000000000AE2

.text:0000000000000AE4                               ; 28:       --v8;

.text:0000000000000AE4     sub     [rbp+counter], 1

.text:0000000000000AE8     ; 29:       puts("hello from ctfhub");

.text:0000000000000AE80    lea     rdi, aHelloFromCtfhu            ; "hello from ctfhub"

.text:0000000000000AEF     call    _puts

.text:0000000000000AEF

.text:0000000000000AF4     ; 30:       read(0, buf, 0xD0uLL);

.text:0000000000000AF4     lea     rax, [rbp+buf]

.text:0000000000000AF8     mov     edx, 0D0h                       ; nbytes

.text:0000000000000AFD     mov     rsi, rax                        ; buf

.text:0000000000000B00     mov     edi, 0                          ; fd

.text:0000000000000B05     call    _read                          

; ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑用户输入为2:overflow↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑

.text:0000000000000B05

.text:0000000000000B0A                               ; 33:   while ( choice != 3 );

.text:0000000000000B0A

.text:0000000000000B0A    loc_B0A:                                ; CODE XREF: main+AA↑j

.text:0000000000000B0A    cmp     [rbp+choice], 3

.text:0000000000000B0E    jz      short loc_B1C

.text:0000000000000B0E

.text:0000000000000B10    ; 13:     if ( !v8 )

.text:0000000000000B10

.text:0000000000000B10    loc_B10:                                ; CODE XREF: main+4C↑j

.text:0000000000000B10    cmp     [rbp+counter], 0

.text:0000000000000B14    ; 14:       break;

.text:0000000000000B14    jnz     loc_A89

.text:0000000000000B14

.text:0000000000000B1A    jmp     short loc_B1D

.text:0000000000000B1A

.text:0000000000000B1C    ; ---------------------------------------------------------------------------

.text:0000000000000B1C

.text:0000000000000B1C    loc_B1C:                                ; CODE XREF: main+D6↑j

.text:0000000000000B1C    nop

.text:0000000000000B1C

.text:0000000000000B1D    ; 34:   return 0;

.text:0000000000000B1D

.text:0000000000000B1D    loc_B1D:                                ; CODE XREF: main+E2↑j

.text:0000000000000B1D    mov     eax, 0

.text:0000000000000B22    add     rsp, 48h

.text:0000000000000B26    pop     rbx

.text:0000000000000B27    pop     rbp

.text:0000000000000B28    retn

.text:0000000000000B28    ; } // starts at A38

.text:0000000000000B28

.text:0000000000000B28                               main endp


文章来源: https://bbs.pediy.com/thread-276433.htm
如有侵权请联系:admin#unsafe.sh