0x1 [fd]
ssh fd@pwnable.kr -p2222 (pw:guest)
fd.c
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
if(argc<2)
{
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf))
{
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;
}
如果参数小于2时会输出 pass argv[1] a number
然而我们想让它执行的是/bin/cat flag
fd代表的是文件描述符,0-标准输入 1-标准输出 2-标准错误
使fd = 0 即argv=4660 相当于十六进制0x1234
参考:https://blog.csdn.net/cywosp/article/details/38965239
***********************************************************************
0x2 [collision]
ssh col@pwnable.kr -p2222 (pw:guest)
col.c
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
int* ip = (int*)p;
int i;
int res=0;
for(i=0; i<5; i++){
res += ip[i];
}
return res;
}
int main(int argc, char* argv[]){
if(argc<2){
printf("usage : %s [passcode]\n", argv[0]);
return 0;
}
if(strlen(argv[1]) != 20){
printf("passcode length should be 20 bytes\n");
return 0;
}
if(hashcode == check_password( argv[1] )){
system("/bin/cat flag");
return 0;
}
"\xc8\xce\xc5\x06"*4 + "\xcc\xce\xc5\x06= 0x21DD09EC
./col `python -c 'print "\xc8\xce\xc5\x06"*4 + "\xcc\xce\xc5\x06"'`