[原创][writeup]CTFHUB-ret2VDSO

[原创][writeup]CTFHUB-ret2VDSO
2023-3-11 15:22:56 Author: bbs.pediy.com(查看原文) 阅读量:11 收藏

.text:0000000000000A38 ; int __cdecl main(int argc, const char **argv, const char **envp)

.text:0000000000000A38 public main

.text:0000000000000A38 main proc near ; DATA XREF: _start+1D↑o

.text:0000000000000A38

.text:0000000000000A38 buf= byte ptr -50h

.text:0000000000000A38 choice= dword ptr -18h

.text:0000000000000A38 counter= dword ptr -14h

.text:0000000000000A38

.text:0000000000000A38 ; __unwind {

.text:0000000000000A38 push rbp

.text:0000000000000A39 mov rbp, rsp

.text:0000000000000A3C push rbx

.text:0000000000000A3D sub rsp, 48h

.text:0000000000000A41 ; 8: setvbuf(_bss_start, 0LL, 2, 0LL);

.text:0000000000000A41 mov rax, cs:__bss_start

.text:0000000000000A48 mov ecx, 0 ; n

.text:0000000000000A4D mov edx, 2 ; modes

.text:0000000000000A52 mov esi, 0 ; buf

.text:0000000000000A57 mov rdi, rax ; stream

.text:0000000000000A5A call _setvbuf

.text:0000000000000A5A

.text:0000000000000A5F ; 9: setvbuf(stdin, 0LL, 1, 0LL);

.text:0000000000000A5F mov rax, cs:[email protected]@GLIBC_2_2_5

.text:0000000000000A66 mov ecx, 0 ; n

.text:0000000000000A6B mov edx, 1 ; modes

.text:0000000000000A70 mov esi, 0 ; buf

.text:0000000000000A75 mov rdi, rax ; stream

.text:0000000000000A78 call _setvbuf

.text:0000000000000A78

.text:0000000000000A7D ; 10: v8 = 2;

.text:0000000000000A7D mov [rbp+counter], 2

.text:0000000000000A84 jmp loc_B10

.text:0000000000000A84

.text:0000000000000A89 ; ---------------------------------------------------------------------------

.text:0000000000000A89 ; 15: choice = getInput();

.text:0000000000000A89

.text:0000000000000A89 loc_A89: ; CODE XREF: main+DC↓j

.text:0000000000000A89 mov eax, 0

.text:0000000000000A8E call printMenu ; 打印菜单并获取用户输入数字

.text:0000000000000A8E ; 1：getGift，判断用户输入和随机数是否相同

.text:0000000000000A8E ; 2：overflow，栈溢出

.text:0000000000000A8E ; 3：结束

.text:0000000000000A8E

.text:0000000000000A93 mov [rbp+choice], eax

.text:0000000000000A96 ; 16: if ( choice == 1 )

.text:0000000000000A96 cmp [rbp+choice], 1

.text:0000000000000A9A jnz short loc_ADE

.text:0000000000000A9A

.text:0000000000000A9C ; 18: --v8;

.text:0000000000000A9C sub [rbp+counter], 1

; ↓↓↓↓↓↓↓↓↓↓用户输入为1，getGift↓↓↓↓↓↓↓↓↓↓

.text:0000000000000AA0 ; 19: puts("input num:");

.text:0000000000000AA0 lea rdi, aInputNum ; "input num:"

.text:0000000000000AA7 call _puts

.text:0000000000000AA7

.text:0000000000000AAC ; 20: seed = time(0LL);

.text:0000000000000AAC mov edi, 0 ; timer

.text:0000000000000AB1 call _time

.text:0000000000000AB1

.text:0000000000000AB6 ; 21: srand(seed);

.text:0000000000000AB6 mov edi, eax ; seed

.text:0000000000000AB8 call _srand

.text:0000000000000AB8

.text:0000000000000ABD ; 22: inputNum = getInputNumber();

.text:0000000000000ABD mov eax, 0

.text:0000000000000AC2 call getInputNumber

.text:0000000000000AC2

.text:0000000000000AC7 mov ebx, eax

.text:0000000000000AC9 ; 23: if ( inputNum == rand() )

.text:0000000000000AC9 call _rand

.text:0000000000000AC9

.text:0000000000000ACE cmp ebx, eax

.text:0000000000000AD0 jnz short loc_ADE

.text:0000000000000AD0

.text:0000000000000AD2 ;system("/bin/sh");getShell代码位于mainAD2处

.text:0000000000000AD2 lea rdi, command ; "/bin/sh"

.text:0000000000000AD9 call _system

; ↑↑↑↑↑↑↑↑↑↑↑用户输入为1:getGift↑↑↑↑↑↑↑↑↑↑↑↑↑

.text:0000000000000AD9

.text:0000000000000ADE ; 26: if ( choice == 2 )

.text:0000000000000ADE

.text:0000000000000ADE loc_ADE: ; CODE XREF: main+62↑j

.text:0000000000000ADE ; main+98↑j

.text:0000000000000ADE cmp [rbp+choice], 2

.text:0000000000000AE2 jnz short loc_B0A

; ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓用户输入为2：overflow↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓

.text:0000000000000AE2

.text:0000000000000AE4 ; 28: --v8;

.text:0000000000000AE4 sub [rbp+counter], 1

.text:0000000000000AE8 ; 29: puts("hello from ctfhub");

.text:0000000000000AE80 lea rdi, aHelloFromCtfhu ; "hello from ctfhub"

.text:0000000000000AEF call _puts

.text:0000000000000AEF

.text:0000000000000AF4 ; 30: read(0, buf, 0xD0uLL);

.text:0000000000000AF4 lea rax, [rbp+buf]

.text:0000000000000AF8 mov edx, 0D0h ; nbytes

.text:0000000000000AFD mov rsi, rax ; buf

.text:0000000000000B00 mov edi, 0 ; fd

.text:0000000000000B05 call _read

; ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑用户输入为2：overflow↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑

.text:0000000000000B05

.text:0000000000000B0A ; 33: while ( choice != 3 );

.text:0000000000000B0A

.text:0000000000000B0A loc_B0A: ; CODE XREF: main+AA↑j

.text:0000000000000B0A cmp [rbp+choice], 3

.text:0000000000000B0E jz short loc_B1C

.text:0000000000000B0E

.text:0000000000000B10 ; 13: if ( !v8 )

.text:0000000000000B10

.text:0000000000000B10 loc_B10: ; CODE XREF: main+4C↑j

.text:0000000000000B10 cmp [rbp+counter], 0

.text:0000000000000B14 ; 14: break;

.text:0000000000000B14 jnz loc_A89

.text:0000000000000B14

.text:0000000000000B1A jmp short loc_B1D

.text:0000000000000B1A

.text:0000000000000B1C ; ---------------------------------------------------------------------------

.text:0000000000000B1C

.text:0000000000000B1C loc_B1C: ; CODE XREF: main+D6↑j

.text:0000000000000B1C nop

.text:0000000000000B1C

.text:0000000000000B1D ; 34: return 0;

.text:0000000000000B1D

.text:0000000000000B1D loc_B1D: ; CODE XREF: main+E2↑j

.text:0000000000000B1D mov eax, 0

.text:0000000000000B22 add rsp, 48h

.text:0000000000000B26 pop rbx

.text:0000000000000B27 pop rbp

.text:0000000000000B28 retn

.text:0000000000000B28 ; } // starts at A38

.text:0000000000000B28

.text:0000000000000B28 main endp

文章来源: https://bbs.pediy.com/thread-276433.htm
如有侵权请联系:admin#unsafe.sh