Created
March 1, 2019 11:02
-
-
Save lionaneesh/7fa68bf889d28c66bc81ad5ca0954f9c to your computer and use it in GitHub Desktop.
fsb pwnable
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <alloca.h> | |
| #include <fcntl.h> | |
| unsigned long long key; | |
| char buf[100]; | |
| char buf2[100]; | |
| int fsb(char** argv, char** envp){ | |
| char* args[]={"/bin/sh", 0}; | |
| int i; | |
| char*** pargv = &argv; | |
| char*** penvp = &envp; | |
| char** arg; | |
| char* c; | |
| for(arg=argv;*arg;arg++) for(c=*arg; *c;c++) *c='\0'; | |
| for(arg=envp;*arg;arg++) for(c=*arg; *c;c++) *c='\0'; | |
| *pargv=0; | |
| *penvp=0; | |
| for(i=0; i<4; i++){ | |
| printf("Give me some format strings(%d)\n", i+1); | |
| read(0, buf, 100); | |
| printf(buf); | |
| } | |
| printf("Wait a sec...\n"); | |
| sleep(3); | |
| printf("key : \n"); | |
| read(0, buf2, 100); | |
| unsigned long long pw = strtoull(buf2, 0, 10); | |
| if(pw == key){ | |
| printf("Congratz!\n"); | |
| execve(args[0], args, 0); | |
| return 0; | |
| } | |
| printf("Incorrect key \n"); | |
| return 0; | |
| } | |
| int main(int argc, char* argv[], char** envp){ | |
| int fd = open("/dev/urandom", O_RDONLY); | |
| if( fd==-1 || read(fd, &key, 8) != 8 ){ | |
| printf("Error, tell admin\n"); | |
| return 0; | |
| } | |
| close(fd); | |
| alloca(0x12345 & key); | |
| fsb(argv, envp); // exploit this format string bug! | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment