[solved]
[pwn/point-plunderer]
더보기
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+8h] [rbp-18h] BYREF
unsigned int v5; // [rsp+Ch] [rbp-14h] BYREF
unsigned int v6; // [rsp+10h] [rbp-10h]
unsigned int v7; // [rsp+14h] [rbp-Ch]
unsigned __int64 v8; // [rsp+18h] [rbp-8h]
v8 = __readfsqword(0x28u);
setvbuf(stdin, 0LL, 2, 0LL);
setvbuf(_bss_start, 0LL, 2, 0LL);
v6 = 0x3E8;
v7 = 0x3E8;
puts("Welcome to ByteBreach Point Management System!\n");
printf("You currently have %d points.\n", 0x3E8LL);
puts("try to get 1 MILLION points and break the bank!");
while ( 1 )
{
puts("\nMenu:\n");
puts("1. Add Points\n");
puts("2. Subtract Points\n");
puts("3. Exit\n");
puts("Enter your choice: ");
__isoc99_scanf("%d", &v4);
if ( v4 == 3 )
break;
if ( v4 > 3 )
goto LABEL_13;
if ( v4 == 1 )
{
puts("Enter points to add: ");
__isoc99_scanf("%d", &v5);
if ( v7 <= v5 || (int)v5 <= 0 )
{
puts("Bank doesn't have enough points or malformed input\n");
}
else
{
v6 += v5;
v7 -= v5;
puts("Points added successfully.\n");
}
}
else
{
if ( v4 != 2 )
{
LABEL_13:
puts("Invalid choice! Please try again.\n");
goto LABEL_14;
}
puts("Enter points to subtract: ");
__isoc99_scanf("%d", &v5);
v6 -= v5;
v7 += v5;
puts("Points subtracted successfully.\n");
}
LABEL_14:
printf("Current points: %ul\n", v6);
if ( v6 > 0xF4240 )
system("/bin/sh");
}
puts("Exiting...\n");
return 0;
}
빼기 연산을 할 때 값에 대한 검증이 없다.
음수를 넣어주면 쉘이 나온다.
[solved]
[pwn/Snake]
더보기
뭔가 방법이 있을텐데..
'CTF' 카테고리의 다른 글
| BYUCTF 2024 (Pwn) (0) | 2024.05.19 |
|---|---|
| TBTL CTF 2024 (Pwn) (0) | 2024.05.18 |
| Grey Cat The Flag 2024 Qualifiers (0) | 2024.04.22 |
| AmateursCTF 2024 (1) | 2024.04.10 |
| [QWB CTF 2018] core (with write-up) (1) | 2024.04.04 |