1 col@prowl:~$ ls -al 2 total 36 3 drwxr-x--- 5 root col 4096 Oct 23 2016 . 4 drwxr-xr-x 114 root root 4096 May 19 15:59 .. 5 d--------- 2 root root 4096 Jun 12 2014 .bash_history 6 -r-sr-x--- 1 col_pwn col 7341 Jun 11 2014 col 7 -rw-r--r-- 1 root root 555 Jun 12 2014 col.c 8 -r--r----- 1 col_pwn col_pwn 52 Jun 11 2014 flag 9 dr-xr-xr-x 2 root root 4096 Aug 20 2014 .irssi 10 drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache 11 col@prowl:~$ cat col.c 12 #include <stdio.h> 13 #include <string.h> 14 unsigned long hashcode = 0x21DD09EC; 15 unsigned long check_password(const char* p){ 16 int* ip = (int*)p; 17 int i; 18 int res=0; 19 for(i=0; i<5; i++){ 20 res += ip[i]; 21 } 22 return res; 23 } 24 25 int main(int argc, char* argv[]){ 26 if(argc<2){ 27 printf("usage : %s [passcode] ", argv[0]); 28 return 0; 29 } 30 if(strlen(argv[1]) != 20){ 31 printf("passcode length should be 20 bytes "); 32 return 0; 33 } 34 35 if(hashcode == check_password( argv[1] )){ 36 system("/bin/cat flag"); 37 return 0; 38 } 39 else 40 printf("wrong passcode. "); 41 return 0; 42 }
参数构造20位,check_password函数内用int读char,即分成5个数
字符串以‘x00'结尾,所以用'x01'来填充,
0x21DD09EC-0x01010101*4=0x1DD905E8
col@prowl:~$ ./col $(python -c "print 'x01' * 16 + 'xE8x05xD9x1D'")
daddy! I just managed to create a hash collision :)