看雪论坛作者ID:vagr4nt
1
int vuln(){__int64 buf; // [rsp+0h] [rbp-10h]__int64 v2; // [rsp+8h] [rbp-8h]buf = 0LL;v2 = 0LL;printf("You can set message: ", 0LL, 0LL);read(0, &buf, 0x1AuLL);return printf("OK, recv!", &buf);}
signed __int64 __fastcall public_block_operation(__int64 a1, unsigned int *a2, __int64 a3, unsigned int a4, _DWORD *a5){_DWORD *v6; // [rsp+8h] [rbp-468h]char v7; // [rsp+30h] [rbp-440h]char m; // [rsp+140h] [rbp-330h]char e; // [rsp+250h] [rbp-220h]char c; // [rsp+360h] [rbp-110h]unsigned int edigits; // [rsp+468h] [rbp-8h]unsigned int ndigits; // [rsp+46Ch] [rbp-4h]v6 = a5;bn_decode((__int64)&m, 65u, a3, a4);bn_decode((__int64)&v7, 0x41u, (__int64)(v6 + 1), 256);bn_decode((__int64)&e, 0x41u, (__int64)(v6 + 65), 256);ndigits = bn_digits((__int64)&v7, 65);edigits = bn_digits((__int64)&e, 65);if ( (signed int)bn_cmp((__int64)&m, (__int64)&v7, ndigits) >= 0 )return 4097LL;bn_mod_exp((__int64)&c, (__int64)&m, (__int64)&e, edigits, (__int64)&v7, ndigits);*a2 = (unsigned int)(*v6 + 7) >> 3;bn_encode(a1, *a2, (__int64)&c, ndigits);memset(&c, 0, 0x104uLL);memset(&m, 0, 0x104uLL);return 0LL;}
注意到这里的e是用十六进制去存储的,也就是{0x01, 0x00, 0x01},即65537。N是小端序存储的,即0xdbea。
回到核心判断逻辑:
puts("Login\nPlease input your name:");v13 = read(0, buf, 0x100uLL);public_block_operation((__int64)v11, (unsigned int *)&v10, (__int64)buf, v13, &pk);for ( i = 0; i <= 255 && !v11[i]; ++i );v0 = &v11[i];v1 = v0[1];*(_QWORD *)s2 = *v0;v9 = v1;puts("Please input your password:");memset(buf, 0, 0x100uLL);v13 = read(0, buf, 0x100uLL);public_block_operation((__int64)v11, (unsigned int *)&v10, (__int64)buf, v13, &pk);for ( i = 0; i <= 255 && !v11[i]; ++i );v2 = &v11[i];v3 = v2[1];*(_QWORD *)s = *v2;v7 = v3;if ( strcmp("root", s2) )goto LABEL_22;if ( strlen(s) != 6 )goto LABEL_22;i = 0;while ( i <= 5 ){v4 = i++;asc_2040A3[v4] ^= 0x11u;}if ( !strcmp(asc_2040A3, s) ){puts("Welcome back, administrator. ");result = vuln();}
说穿了就是截取加密后密文的前8个字节,然后去和'root'作比较。这里可以用GDB简单调试验证下:
我输入的username是'aaa\n',跟进来在strcmp之前rsi的值与RSA加密结果的前几位一致。
下面那个password处理和这个同理,只不过加了一个简单异或,就不再赘述。
那么问题的核心就在于找到一个明文字符串,用公钥加密后的前几个字节必须是root。
from pwn import *rs = process('./rsa')rs.sendline('2')rs.recvuntil('your name:\n')fuck="TNH\x8b\x96\xca\xed\x02\xbdpb\xecv\xc2_\x87\x91\x8cFU\xf1^\xd7L3\xc4X\xcd1E\xc7d\xa7\xcb\x83\x08\xec\x1eQ\xfe;\xe5\xd1K\xf5\xa0\x06\xdc\x1a@Ux8\xe2kE[\xe9exn\x06\xe2\xd2\xadr\xcc\x99\x14n\xb0,\xe8\x95//\x0ca\\\n[\x9e4O\xde\x9b>\x9a\xedLf\xa0'a\x8b\xc7wW0\x85\n\xa4C\x94o\xab\xb4K\xfcDv\x96f5]c\x97\xd9`\x00\xbe\xc4R\x19\xd9Q\xeb<"rs.send(fuck)fuck2='\x80\xc7\x1e\xc6\xfe\x92\xee\xcb\xef2\xe3\xdf\xc2\xc2\x8a\xb0\xa6\xda\x8b\xbb\xddW\xbd9[\x97\xa9\xeeb\x9f\xba\xbe]\xa3\xd21(@\x04\x01\x9eg\\j\x89\xf2\xc6\xd2\x87\xd5\xeb\x8e\xbf\xcc\x00\xc0q\x89\x19?\xcf\xfcU\xfeq-{\xb6\xb9\xaf\xe8\xb6e\xcb\xb9\x12\x13.h\xce@\xd2\xcef\xff\xd8\xd2\xa5\xc4^\x8eKB\xee\xf5Q\x17X\xb60\xcd\xaa>7\x1f\x82S\xb9F Hg\xf5\xde\xb0r*\xda\x9a\xaa\x99M`\xe8,\xa0d\xb2'rs.recvuntil('your password:\n')rs.send(fuck2)rs.interactive()
看雪ID:vagr4nt
https://bbs.pediy.com/user-home-904020.htm
*本文由看雪论坛 vagr4nt 原创,转载请注明来自看雪社区
# 往期推荐
1. 【分析记录】疑似Confucius组织组件CuoliVXaRAT分析
球分享
球点赞
球在看
点击“阅读原文”,了解更多!
文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458389238&idx=1&sn=59cd54605fadf3854a453b004c8367ec&chksm=b18f3a7c86f8b36af5d14b42e3eb498404c8f4ee99fc2111c36207e6e828d9a5c974f36d6ead#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh