Luna's Developer Diary

Right So,
I suppose I’ll just crack on with this,then.

Screenshot. 1

Mommy told me to make a passcode based login system.

My initial C code was compiled without any error!

Well, there was some compiler warning, but who cares about that?

Then,Let’s Just Connect Straight Away As Above.

1	ssh passcode@pwnable.kr -p2222 (pw:guest)

Screenshot. 2

Once Connected,You’d Then Use ls -l to
Check For Files.
And Upon Checking,You’ll Find:

flag

passecode

passecode.c

There Are Three Files In Total, You See.

Screenshot. 3

First off, if you run passcode

You Can See It Behaves As Shown Above.

Right,And Then With The cat Command

Let’s Have A Look At The passcode.c File.

Screenshot. 4

I know, rummaging through some decades-old

C language books at home,
and having a look at the code

it appears

there’s a function that takes input

I suppose it’s likely the login() function.

1 2	scanf("%d", passcode1); scanf("%d", passcode2);

So, these two, I’d imagine

The input value isn’t being stored in passcode1

it’s not.

Rather, it’s being stored at an address that’s meant for passcode1.

it’s being stored.

So, for example, if passcode1=0x123死5678,

it seems the value we input would then be stored at the 0x123死5678 address.

it seems the value we input would then be stored.

Both variables likely contain dummy values as they haven’t been initialised

and given that the input value is then being stored at an address derived from that dummy value

well, that’s where the error crops up, isn’t it?

Right, then let’s have a look with gdb.

Screenshot. 4

First off, if you have a look at the ‘welcome’ function, it stores the input value at ebp-0x70

it stores the input value at ebp-0x70.

And then, with the login function, you’ll see:

Screenshot. 5

You can tell that ebp-0x10 is where passcode1 is located.

is located.

Now, welcome() receives 100 bytes of input, but

– \[ebp-0x10\]


So,one can in fact manipulate the ```passcode``` value



Right, then as we can insert the desired value at the address that is the value of 'passcode1'

we can therefore insert the desired value at the desired address

we can therefore insert the desired value



Following that, we simply change the GOT address of ```fflush()``` to the ```system()``` portion of ```login()```.

we simply change the ```system()``` address



So, then let's find the GOT address of ```fflush()``` and
the address of the ```system()``` portion of ```login()```

let's find the address of the ```system()```portion of ```login()```


<img src="https://luna0x03.github.io/PostImages/White%20Hacking/CTF/pwnable.kr/Passcode%20Problem%20Solving/11.png" alt="미리보기 방지" width="300" style="text-align: left;">


Screenshot. 6

The GOT address for ```fflush``` is ```0x0804a004```.


<img src="https://luna0x03.github.io/PostImages/White%20Hacking/CTF/pwnable.kr/Passcode%20Problem%20Solving/12.png" alt="미리보기 방지" width="300" style="text-align: left;">


Screenshot. 7

If you look at the beginning of 
the 'system' function

you can see it's ```0x080485e3```

then, if we construct the payload



It becomes ```dummy\[96\]+fflush()```s ```got\[4\]```

and ```system()``` ```\[4\]```



Now, ```system()\[4\]``` as ```scanf()``` receives integers here Is


we need to convert ```system()\[4\]``` to an integer and send it

we need to convert it to an integer and send it



```0x80485e3 = 134514147```

``` bash
(python -c 'print "D"*96 + "\x04\xa0\x04\x08"'; cat) | ./passcode