Pwnalbe.kr C2.collision WP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
| #include <stdio.h> #include <string.h> unsigned long hashcode = 0x21DD09EC; unsigned long check_password(const char* p){ int* ip = (int*)p; int i; int res=0; for(i=0; i<5; i++){ res += ip[i]; } return res; }
int main(int argc, char* argv[]){ if(argc<2){ printf("usage : %s [passcode]\n", argv[0]); return 0; } if(strlen(argv[1]) != 20){ printf("passcode length should be 20 bytes\n"); return 0; }
if(hashcode == check_password( argv[1] )){ system("/bin/cat flag"); return 0; } else printf("wrong passcode.\n"); return 0; }
|
代码如上
核心思路就是要一个五个字符的passcode。Sum[passcode] = 0x21DD09EC
那么就直接构造4个小的最后再用合减去就有了第五个字符。
payload
1
| $ ./col `python -c "print('\x01\x01\x01\x01'*4+'\xe8\x05\xd9\x1d')"`
|