\u3069\u3046\u3082\u307f\u3080\u3089\u3067\u3059\u3002<\/p>\n
\u4e45\u3057\u3076\u308a\u306e SECCON CTF \u3068\u3044\u3046\u3053\u3068\u3067\u30c1\u30fc\u30e0\u4e00\u540c\u30ce\u30ea\u30ce\u30ea\u3067\u306f\u3057\u3083\u304e\u306a\u304c\u3089\u53c2\u52a0\u3057\u3066\u304d\u307e\u3057\u305f\u3002
\u30fb\u30fb\u30c1\u30fc\u30e0\u306f \u201cwasamusume\u201d \u3067\u3059\u3002 \u306a\u3093\u3060\u304b\u3093\u3060\u3067\u4eca\u5e74\u3082\u65d7\u3001\u632f\u3063\u3066\u307e\u3059\u3002<\/p>\n
<\/p>\n
\u3068\u308a\u3042\u3048\u305a\u79c1\u304c\u89e3\u3044\u305f\u306e\u306f\u3001<\/p>\n
*x86\u30a2\u30bb\u30f3\u30d6\u30e9\u3092\u8aad\u3082\u3046 (100)
*\u634f\u9020\u3055\u308c\u305f\u5951\u7d04\u66f8\u3092\u66b4\u3051 (300)
*\u7bb1\u5eadXSS\u30ea\u30bf\u30fc\u30f3\u30ba(300)
*\u7bb1\u5eadSQLi\u30c1\u30e3\u30ec\u30f3\u30b8(100)
*879,394bytes (100)<\/p>\n
\u306e\uff15\u3064\u3002<\/p>\n
\u3044\u304f\u3064\u304b\u52d8\u3067\u89e3\u3044\u3066\u3057\u307e\u3063\u305f\u3068\u3053\u308d\u304c\u3042\u308b\u306e\u3067\u3001
\u3061\u3083\u3093\u3068\u8aac\u660e\u51fa\u6765\u308b\u6240\u306e\u307f\u3092\u3002<\/p>\n
-----\n01361000 > 55 PUSH EBP\n01361001 8BEC MOV EBP,ESP\n01361003 83EC 08 SUB ESP,8\n01361006 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0\n0136100D C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1\n01361014 EB 09 JMP SHORT test.0136101F\n01361016 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]\n01361019 83C0 01 ADD EAX,1\n0136101C 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX\n0136101F > 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]\n01361022 3B4D 08 CMP ECX,DWORD PTR SS:[EBP+8]\n01361025 7F 0B JG SHORT test.01361032\n01361027 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]\n0136102A 0355 F8 ADD EDX,DWORD PTR SS:[EBP-8]\n0136102D 8955 FC MOV DWORD PTR SS:[EBP-4],EDX\n01361030 ^EB E4 JMP SHORT test.01361016\n01361032 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\n01361035 . 83E8 02 SUB EAX,2\n01361038 . 8BE5 MOV ESP,EBP\n0136103A . 5D POP EBP\n0136103B . C3 RETN\n...\n01361040 > . 55 PUSH EBP\n01361041 8BEC MOV EBP,ESP\n01361043 51 PUSH ECX\n01361044 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0\n0136104B 6A FF PUSH FF\n0136104D E8 AEFFFFFF CALL test.01361000\n01361052 . 83C4 04 ADD ESP,4\n01361055 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX\n01361058 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\n0136105B . 50 PUSH EAX\n0136105C . 68 F4203601 PUSH OFFSET \"FLAG{%d}\\n\"\n01361061 . FF15 A4203601 CALL DWORD PTR DS:[<&MSVCR100.printf>]\n01361067 . 83C4 08 ADD ESP,8\n-----<\/pre>\n<\/div>\n <\/p>\n
\u3044\u304d\u306a\u308a\u3053\u308c\u304c\u51fa\u308b\u3068\u3001\u300c\uff73\uff6f\u300d\u3068\u3059\u308b\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3002\u79c1\u3082\u3057\u307e\u3057\u305f\u3002
\n
\u30fb\u30fb\u67d0\u30ad\u30e3\u30f3\u30d7\u306e\u8aad\u7d4c\u304b\u30fb\u30fb\u3068\u3002<\/p>\n
\u3067\u3082\u51b7\u9759\u306b\u898b\u3066\u307f\u308b\u3068\u7d50\u69cb\u7c21\u5358\u306a\u3093\u3067\u3059\u306d\u3002<\/p>\n
\n---\n01361000 > 55 PUSH EBP\n01361001 8BEC MOV EBP,ESP\n01361003 83EC 08 SUB ESP,8\n01361006 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0\n0136100D C745 F8 01000000 MOV DWORD PTR SS:[EBP-8],1\n01361014 EB 09 JMP SHORT test.0136101F\n01361016 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]\n01361019 83C0 01 ADD EAX,1\n0136101C 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX\n0136101F > 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]\n01361022 3B4D 08 CMP ECX,DWORD PTR SS:[EBP+8]\n01361025 7F 0B JG SHORT test.01361032\n01361027 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]\n0136102A 0355 F8 ADD EDX,DWORD PTR SS:[EBP-8]\n0136102D 8955 FC MOV DWORD PTR SS:[EBP-4],EDX\n01361030 ^EB E4 JMP SHORT test.01361016\n01361032 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]\n01361035 . 83E8 02 SUB EAX,2\n01361038 . 8BE5 MOV ESP,EBP\n0136103A . 5D POP EBP\n0136103B . C3 RETN\n---\n0136104B 6A FF PUSH FF\n0136104D E8 AEFFFFFF CALL test.01361000\n---\n0136105B . 50 PUSH EAX\n0136105C . 68 F4203601 PUSH OFFSET \"FLAG{%d}\\n\"\n01361061 . FF15 A4203601 CALL DWORD PTR DS:[<&MSVCR100.printf>]\n---<\/pre>\n<\/div>\n\u3082\u3046\u3001\u3053\u306e\u8fba\u3060\u3051\u898b\u3066\u304a\u3051\u3070\u5927\u4e08\u592b\u3002<\/p>\n
[EBP-4] \u3068\u304b\u3044\u308d\u3044\u308d\u3068\u66f8\u304b\u308c\u3066\u3044\u307e\u3059\u304c\u3001
\n
\u3071\u3063\u3068\u898b\u3067 Intel \u8a18\u6cd5\u3060\u306a\u30fc\u3068\u601d\u3063\u305f\u3089\u3001
\u53f3\u8fba\u306e\u3082\u306e\u3092\u5de6\u8fba\u306b\u79fb\u3059\uff08\u7d50\u679c\u304c\u5de6\u306b\u5165\u308b\uff09\u3068\u8a00\u3046\u3053\u3068\u3060\u3051\u8003\u3048\u306a\u304c\u3089\u898b\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n
\uff08AT&T \u8a18\u6cd5\u306a\u3089\u3001\u5de6\u304b\u3089\u53f3\u3078\u3002\uff09<\/p>\n
<\/p>\n
\u30fb\u30fb\u30fb\u3042\u3068\u306f\u3053\u308c\u3092\u3058\u3063\u304f\u308a\u8aad\u3080\u3068\u3001<\/p>\n
\ndef func(n):\n\ta = 0\n\tb = 1\n\twhile b <=n:\n\t\ta += b\n\t\tb += 1\n\ta -= 2\n\treturn a\n\nprint(\"FLAG{%d}\" % func(0xFF))\n<\/pre>\n<\/div>\n <\/p>\n
\u3053\u3093\u306a\u611f\u3058\u306b\u66f8\u304d\u76f4\u305b\u308b\u8a33\u3067\u3059\u306d\u3002
\n
\uff08\u30fb\u30fb Write-up \u306e\u918d\u9190\u5473\u304c\u5168\u529b\u3067\u30b9\u30ad\u30c3\u30d7\u3055\u308c\u3066\u3044\u308b\u6c17\u304c\u3059\u308b\u306e\u306f\u6c17\u306e\u305b\u3044\uff09<\/p>\n
\u3067\u3082\u3063\u3066\u3001\u5b9f\u884c\u3059\u308b\u3068 FLAG{32638} \u3068\u3044\u3046\u3053\u3068\u3067\u3002<\/p>\n
<\/p>\n
\u30fb\u30fb\u30fb\u30b9\u30ad\u30c3\u30d7\u3055\u308c\u3066\u5206\u304b\u3089\u306a\u3044\uff01 \u3063\u3066\u4eba\u306f\u5f8c\u3067\u500b\u5225\u306b\u9023\u7d61\u304f\u3060\u3055\u3044\uff08\u6c57<\/p>\n
<\/p>\n
\n\u634f\u9020\u3055\u308c\u305f\u5951\u7d04\u66f8\u3092\u66b4\u3051 <\/h4>\n
\u30c7\u30a3\u30b9\u30af\u30a4\u30e1\u30fc\u30b8\u304c\u6e21\u3055\u308c\u308b\u306e\u3067\u3001
\n
\u3053\u306e\u4e2d\u306e\u30c7\u30fc\u30bf\u304b\u3089\u634f\u9020\u306e\u8a3c\u62e0\u3092\u51fa\u3057\u3066\u306d\u3001\u3068\u3044\u3046\u3082\u306e\u3002<\/p>\n
\u5f53\u521d MFT (Master File Table) \u3092\u898b\u3066\u3044\u307e\u3057\u3066\u3001
\n
$FILE_NAME \u306e Create Time \u3058\u3083\u306a\u3044\u304b\u3068\u9001\u4fe1\u3057\u3066\u3044\u307e\u3057\u305f\u304c\u3069\u3046\u3082\u901a\u3089\u305a\u3002<\/p>\n
\u30fb\u30fb\u307e\u3055\u304b\u30fc\u3068\u601d\u3044\u306a\u304c\u3089 \u201c\u6a5f\u5bc6\u4fdd\u6301\u5951\u7d04\u66f8.docx\u201d \u30d5\u30a1\u30a4\u30eb\u5185\u306b\u3042\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u898b\u3066\u3044\u3063\u305f\u3068\u3053\u308d\u3001
\n
\u4e2d\u306e jpg \u30d5\u30a1\u30a4\u30eb\u306b Exif \u60c5\u5831\u3068\u3057\u3066\u4f5c\u6210\u65e5\u6642\u304c\u4e57\u3063\u3066\u3044\u307e\u3057\u3066\u3001\u3053\u308c\u304c Flag.<\/p>\n
<\/p>\n
\u30fb\u30fb\u30fb\u3067\u3082\u3001 Exif \u3068\u3057\u3066\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304b\u308c\u3066\u3044\u308b\u60c5\u5831\u3088\u308a\u3082\u3001
\n
MFT \u306e fnMFTModTime \u304c \u201c2012\/5\/23 04:56\u201d \u306b\u306a\u3063\u3066\u3044\u308b\u4e8b\u306e\u65b9\u304c\u3001 <\/p>\n
\u4fe1\u983c\u6027\u304c\u9ad8\u3044\u3068\u601d\u3046\u306e\u3067\u3059\u304c\u3001\u3046\u30fc\u3080\uff08<\/p>\n
<\/p>\n
\n\u4eca\u56de\u53c2\u52a0\u3057\u3066\u307f\u307e\u3057\u3066\u3001\u7d50\u69cb\u697d\u3057\u304b\u3063\u305f\u3067\u3059\u3002
\n
\u305f\u3060\u6700\u8fd1\u3001\u7247\u624b\u9593\u3067CTF \u3092\u3059\u308b\u611f\u3058\u3067\u306f\u30de\u30ba\u3044\u306a\u30fc\u3068\u601d\u3063\u3066\u3044\u307e\u3057\u3066 <\/p>\n
\uff08\u5927\u4f1a\u5f62\u5f0f\u306e CTF \u4ee5\u5916\u306f\u307b\u307c\u3084\u3063\u3066\u307e\u305b\u3093\u3057\u30fb\u30fb\u3002\uff09 <\/p>\n
\u3061\u3087\u3063\u3068\u52c9\u5f37\u306a\u308a\u3092\u59cb\u3081\u306a\u3044\u3068\u30de\u30ba\u3044\u304b\u306a\u3068\u601d\u3063\u3066\u307e\u3059\u3002 <\/p>\n
<\/p>\n
<\/p>\n
\u307e\u305f\u3001\u3084\u306f\u308a\u601d\u3046\u306e\u306f<\/p>\n
\n@mimura1133<\/a> \u304a\u304a\u3046w \u30d0\u30e9\u30d0\u30e9\u3067\u3042\u306e\u5f37\u3055\u3068\u306f\u6d41\u77f3w \u4eca\u5ea6\u306f\u3044\u3063\u3057\u3087\u306b\u30ef\u30a4\u30ef\u30a4\u3084\u308a\u307e\u3057\u3087\u3046\u306d<\/p>\n\u2014 alc@******** (@noritama_ususio) 2014, 7\u6708 19<\/a><\/p><\/blockquote>\n