PWN collision [pwnable.kr]CTF writeup题解系列2

题目地址：http://pwnable.kr/play.php

先看看题目

 都是简单题目，我直接把过程贴出来

aaa@qq.com:/ctf/work/reverse# ssh aaa@qq.com -p2222
aaa@qq.com's password: 
 ____  __    __  ____    ____  ____   _        ___      __  _  ____  
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \ 
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    / 
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \ 
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|
                                                                     
- Site admin : aaa@qq.com
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Tue Dec 31 23:39:30 2019 from 125.238.93.17
aaa@qq.com:~$ ls -la
total 36
drwxr-x---   5 root    col     4096 Oct 23  2016 .
drwxr-xr-x 116 root    root    4096 Nov 12 21:34 ..
d---------   2 root    root    4096 Jun 12  2014 .bash_history
-r-sr-x---   1 col_pwn col     7341 Jun 11  2014 col
-rw-r--r--   1 root    root     555 Jun 12  2014 col.c
-r--r-----   1 col_pwn col_pwn   52 Jun 11  2014 flag
dr-xr-xr-x   2 root    root    4096 Aug 20  2014 .irssi
drwxr-xr-x   2 root    root    4096 Oct 23  2016 .pwntools-cache
aaa@qq.com:~$ exit
logout
Connection to pwnable.kr closed.
aaa@qq.com:/ctf/work/reverse# scp aaa@qq.com:/home/col/col ./
ssh: connect to host pwnable.kr port 22: Connection refused
aaa@qq.com:/ctf/work/reverse# scp -P 2222 aaa@qq.com:/home/col/col ./
aaa@qq.com's password: 
col                                                                                    100% 7341    26.7KB/s   00:00    
aaa@qq.com:/ctf/work/reverse#

下载之后打开ida做反编译，代码如下：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int result; // eax

  if ( argc > 1 )
  {
    if ( strlen(argv[1]) == 20 )
    {
      if ( check_password((int)argv[1]) == hashcode )
        system("/bin/cat flag");
      else
        puts("wrong passcode.");
      result = 0;
    }
    else
    {
      puts("passcode length should be 20 bytes");
      result = 0;
    }
  }
  else
  {
    printf("usage : %s [passcode]\n", *argv);
    result = 0;
  }
  return result;
}

int __cdecl check_password(int *arr_dwPasscode)
{
  signed int i; // [esp+4h] [ebp-Ch]
  int v3; // [esp+8h] [ebp-8h]

  v3 = 0;
  for ( i = 0; i <= 4; ++i )
    v3 += arr_dwPasscode[i];
  return v3;
}

还有一个关键变量定义

.data:0804A020                 public hashcode
.data:0804A020 hashcode        dd 21DD09ECh

然后就是要让下面这个判断成立

      if ( check_password((int)argv[1]) == hashcode )
        system("/bin/cat flag");

那就根据题目的意思写入5个32位的整数，因为不能有null（\x00），我就设置了4个p32(0x01010101)，这样就没有null了。

具体的python脚本如下：

#coding:utf8
#!/usr/bin/env python
 
from pwn import *
 
context.log_level = 'debug'
process_name = './col'
passcode = 0x21DD09EC
payload = p32(passcode-4*0x01010101) + p32(0x01010101)*4
p = process(argv=[process_name, payload], env={'LD_LIBRARY_PATH':'./'})
# p = process([process_name], env={'LD_LIBRARY_PATH':'./'})
# elf = ELF(process_name)

p.recv()
p.interactive()

服务器上不能写文件，但是可以打开python，执行情况如下：

aaa@qq.com:~$ python
Python 2.7.12 (default, Nov 12 2018, 14:36:49) 
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> #coding:utf8
... #!/usr/bin/env python
...  
... from pwn import *
>>>  
... context.log_level = 'debug'
>>> process_name = './col'
>>> passcode = 0x21DD09EC
>>> payload = p32(passcode-4*0x01010101) + p32(0x01010101)*4
>>> p = process(argv=[process_name, payload], env={'LD_LIBRARY_PATH':'./'})
[x] Starting local process './col' argv=['./col', '\xe8\x05\xd9\x1d\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01']  env={'LD_LIBRARY_PATH': './'} 
[+] Starting local process './col' argv=['./col', '\xe8\x05\xd9\x1d\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01']  env={'LD_LIBRARY_PATH': './'} : pid 319647
>>> # p = process([process_name], env={'LD_LIBRARY_PATH':'./'})
... # elf = ELF(process_name)
... 
>>> p.recv()
[DEBUG] Received 0x34 bytes:
    'daddy! I just managed to create a hash collision :)\n'
'daddy! I just managed to create a hash collision :)\n'
>>> p.interactive()
[*] Switching to interactive mode
[*] Process './col' stopped with exit code 0 (pid 319647)
[*] Got EOF while reading in interactive
[DEBUG] Sent 0x1 bytes:
    '\r' * 0x1
[*] Got EOF while sending in interactive