{"id":71,"date":"2025-07-20T14:42:00","date_gmt":"2025-07-20T06:42:00","guid":{"rendered":"http:\/\/lycoreco.cn\/?p=71"},"modified":"2025-07-20T14:43:32","modified_gmt":"2025-07-20T06:43:32","slug":"ctfshow%e5%a0%86%e5%88%a9%e7%94%a8%e5%89%8d%e7%bd%ae%e5%9f%ba%e7%a1%80pwn135%e3%80%81pwn136","status":"publish","type":"post","link":"http:\/\/lycoreco.cn\/index.php\/2025\/07\/20\/ctfshow%e5%a0%86%e5%88%a9%e7%94%a8%e5%89%8d%e7%bd%ae%e5%9f%ba%e7%a1%80pwn135%e3%80%81pwn136\/","title":{"rendered":"ctfshow:\u5806\u5229\u7528\u524d\u7f6e\u57fa\u7840pwn135\u3001pwn136"},"content":{"rendered":"\n

1.pwn135\u5206\u6790<\/h2>\n\n\n\n

checksec:<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u538b\u529b\u611f<\/p>\n\n\n\n

\u770b\u4e00\u770bctfshow\u51fd\u6570\u7684\u4ee3\u7801,\u8f93\u51654\u5c31\u53ef\u4ee5\u62ffflag<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n


v1=1\u65f6<\/p>\n\n\n\n

 printf(\"Enter the size to allocate using malloc: \");\n    __isoc99_scanf(\"%lu\", &size);\n    ptr = malloc(size);\n  }\n  if ( ptr )\n    printf(\"Memory allocated at address: %p\\n\", ptr);\n  else\n    puts(\"Memory allocation failed.\");<\/code><\/pre>\n\n\n\n

\u76f8\u5f53\u4e8e\u7533\u8bf7\u5806<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u539f\u578b\uff1a<\/p>\n\n\n\n
void *malloc(size_t size);<\/code><\/pre>\n\n\n\n
e\u53c2\u6570\u8868\u793a\u8981\u5206\u914d\u7684\u5185\u5b58\u5757\u7684\u5927\u5c0f\uff08\u4ee5\u5b57\u8282\u4e3a\u5355\u4f4d\uff09\u3002malloc\u51fd\u6570\u8fd4\u56de\u4e00\u4e2a\u6307\u5411\u5df2\u5206\u914d\u5185\u5b58\u7684\u6307\u9488\uff0c\u5982\u679c\u5206\u914d\u5931\u8d25\uff0c\u5219\u8fd4\u56deNULL\u3002<\/em><\/p>\n\n\n\n
calloc() \u63a5\u53d7\u4e24\u4e2a\u53c2\u6570\uff1a\u8981\u5206\u914d\u7684\u5143\u7d20\u4e2a\u6570\u548c\u6bcf\u4e2a\u5143\u7d20\u7684\u5927\u5c0f\u3002<\/em><\/p>\n\n\n\n
v1=2\u65f6<\/p>\n\n\n\n
 printf(\"Enter the size to allocate using calloc: \");\n    __isoc99_scanf(\"%lu\", &size);\n    ptr = calloc(1uLL, size);<\/code><\/pre>\n\n\n\n

calloc() \u51fd\u6570\u7528\u4e8e\u5728 C \u8bed\u8a00\u4e2d\u52a8\u6001\u5206\u914d\u5185\u5b58\uff0c\u5e76\u5c06\u5206\u914d\u7684\u5185\u5b58\u521d\u59cb\u5316\u4e3a\u96f6\u3002\u4e0e malloc() \u4e0d\u540c\uff0ccalloc() \u4f1a\u5c06\u5206\u914d\u7684\u5185\u5b58\u5757\u521d\u59cb\u5316\u4e3a\u96f6\u3002<\/em><\/p>\n\n\n\n

v1=3\u65f6<\/p>\n\n\n\n
printf(\"Enter the size to allocate using realloc: \");\n    __isoc99_scanf(\"%lu\", &size);\n    ptr = realloc(ptr, size);<\/code><\/pre>\n\n\n\n
void *realloc(void *ptr, size_t size);<\/p>\n\n\n\n
ptr\uff1a\u6307\u5411\u9700\u8981\u91cd\u65b0\u5206\u914d\u7684\u5185\u5b58\u5757\u7684\u6307\u9488\uff0c\u8be5\u5185\u5b58\u5757\u5e94\u8be5\u662f\u4e4b\u524d\u901a\u8fc7malloc\u3001calloc\u6216realloc\u5206\u914d\u7684\u3002\u5982\u679cptr\u662f\u7a7a\u6307\u9488\uff0c\u5219realloc\u4f1a\u50cfmalloc\u4e00\u6837\u5206\u914d\u65b0\u7684\u5185\u5b58\u5757\u3002<\/p>\n\n\n\n
size\uff1a\u5185\u5b58\u5757\u7684\u65b0\u5927\u5c0f\uff0c\u5355\u4f4d\u662f\u5b57\u8282\u3002\u5982\u679csize\u4e3a0\uff0c\u5e76\u4e14ptr\u4e0d\u662f\u7a7a\u6307\u9488\uff0c\u90a3\u4e48ptr\u6240\u6307\u5411\u7684\u5185\u5b58\u5757\u4f1a\u88ab\u91ca\u653e\uff0c\u5e76\u8fd4\u56de\u4e00\u4e2a\u7a7a\u6307\u9488\u3002<\/p>\n\n\n\n
\u5982\u679c\u65b0\u7684\u5927\u5c0f\u5927\u4e8e\u539f\u6765\u7684\u5185\u5b58\u5757\uff0c\u4f1a\u79fb\u52a8\u5230\u65b0\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
\u5982\u679c\u5c0f\u4e8e\u539f\u6765\u7684\u5185\u5b58\u5757\uff0c\u539f\u6765\u591a\u7684\u90e8\u5206\u4f1a\u88ab\u91ca\u653e<\/p>\n\n\n\n
2.pwn135flag<\/h2>\n\n\n\n
nc\u4ee5\u540e\u8f934\u5c31\u662f\u4e86\uff0c\u4ee3\u7801\u91cc\u5f88\u6e05\u695a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
3.pwn136\u5206\u6790<\/h2>\n\n\n\n
\u770b\u770bctfshow\u51fd\u6570<\/p>\n\n\n\n
__int64 ctfshow()\n{\n  int v1; \/\/ [sp+Ch] [bp-24h]@7\n  void *ptr; \/\/ [sp+10h] [bp-20h]@1\n  void *v3; \/\/ [sp+18h] [bp-18h]@1\n  void *v4; \/\/ [sp+20h] [bp-10h]@1\n  __int64 v5; \/\/ [sp+28h] [bp-8h]@1\n\n  v5 = *MK_FP(__FS__, 40LL);\n  v3 = 0LL;\n  v4 = 0LL;\n  ptr = malloc(4uLL);\n  if ( ptr )\n  {\n    v3 = calloc(1uLL, 4uLL);\/\/\u5206\u914d\u4e86\u4e00\u4e2a\u5806\u5757\n    if ( v3 )\n    {\n      v4 = realloc(0LL, 4uLL);\n      if ( v4 )\n      {\n        __isoc99_scanf(\"%d\", &v1);\n        if ( v1 == 2 )\n        {\n          free(v3);\n          puts(\"ptr_calloc freed.\");\n          return *MK_FP(__FS__, 40LL) ^ v5;\n        }\n        if ( v1 > 2 )\n        {\n          if ( v1 == 3 )\n          {\n            free(v4);\n            puts(\"ptr_realloc freed.\");\n            return *MK_FP(__FS__, 40LL) ^ v5;\n          }\n          if ( v1 == 4 )\n          {\n            printf(\"Here is you want: \");\n            system(\"cat \/ctfshow_flag\");\n          }\n        }\n        else if ( v1 == 1 )\n        {\n          free(ptr);\n          puts(\"ptr_malloc freed.\");\n          return *MK_FP(__FS__, 40LL) ^ v5;\n        }\n        puts(\"Invalid choice.\");\n        return *MK_FP(__FS__, 40LL) ^ v5;\n      }\n      puts(\"Memory allocation failed for ptr_realloc.\");\n      free(ptr);\n      free(v3);\n    }\n    else\n    {\n      puts(\"Memory allocation failed for ptr_calloc.\");\n      free(ptr);\n    }\n  }\n  else\n  {\n    puts(\"Memory allocation failed for ptr_malloc.\");\n  }\n  return *MK_FP(__FS__, 40LL) ^ v5;\n}<\/code><\/pre>\n\n\n\n
\u4e5f\u662f\u4e00\u6837\u7684<\/p>\n\n\n\n
v1=4<\/p>\n\n\n\n
cat flag<\/p>\n\n\n\n
\u5176\u4ed6\u5c31\u662f\u5206\u522b\u7528pwn135\u4e2d\u7684\u4e09\u4e2a\u51fd\u6570\u7533\u8bf7\u4e86\u5806\u7136\u540efree\u6389<\/p>\n\n\n\n
\u6bd4\u5982\u8f93\u51651\u7136\u540e\u67e5\u770bheap:<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u5c31\u53ef\u4ee5\u770b\u5230\u6709chunk\u88abfree\u4e86\uff0c\u5176\u4ed6\u7684\u4e5f\u662f\u8fd9\u6837\u770b\u5c31\u884c\u3002<\/p>\n\n\n\n
2.pwn136flag<\/h2>\n\n\n\n
nc\u8f934\uff1a<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

ok\u660e\u5929\u7ee7\u7eed\u5b66\u4e60<\/p>\n","protected":false},"excerpt":{"rendered":"
1.pwn135\u5206\u6790 checksec: \u538b\u529b\u611f \u770b\u4e00\u770bctfshow\u51fd\u6570\u7684\u4ee3\u7801,\u8f93\u51654\u5c31\u53ef\u4ee5\u62ffflag v1 […]<\/p>\n","protected":false},"author":1,"featured_media":31,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4],"class_list":["post-71","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn","tag-pwn"],"_links":{"self":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/71","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/comments?post=71"}],"version-history":[{"count":2,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/71\/revisions"}],"predecessor-version":[{"id":82,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/71\/revisions\/82"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media\/31"}],"wp:attachment":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media?parent=71"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/categories?post=71"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/tags?post=71"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}