当前位置: 首页 > news >正文

CTF-PWN: 全保护下格式化字符串利用 [第一届“吾杯”网络安全技能大赛 如果能重来] 赛后学习(没思路了)

news 2025/12/15 13:38:35 
通过网盘分享的文件:如果能重来.zip
链接: https://pan.baidu.com/s/1XKIJx32nWVcSpKiWFQGpYA?pwd=1111 提取码: 1111 
--来自百度网盘超级会员v2的分享

漏洞分析

格式化字符串漏洞,在printf(format);

__int64 sub_13D7()
{char format[56]; // [rsp+10h] [rbp-40h] BYREFunsigned __int64 v2; // [rsp+48h] [rbp-8h]v2 = __readfsqword(0x28u);printf("Please input your name: ");if ( (int)sub_1247(format, 55LL) > 0 ){if ( dword_404C ){printf(format);--dword_404C;puts("There will be a gift for you here . . .");}else{puts("0.o? ");}return 0LL;}else{puts("Error reading name.");return 0xFFFFFFFFLL;}
}

确定参数偏移

❯ gdb pwn
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04.2) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:<http://www.gnu.org/software/gdb/documentation/>.For help, type "help".
Type "apropos word" to search for commands related to "word"...
startpwndbg: loaded 165 pwndbg commands and 46 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
Reading symbols from pwn...
(No debugging symbols found in pwn)
------- tip of the day (disable with set show-tips off) -------
If you want Pwndbg to clear screen on each command (but still save previous output in history) use set context-clear-screen on
pwndbg> start
Temporary breakpoint 1 at 0x5555555550e0Temporary breakpoint 1, 0x00005555555550e0 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────RAX  0x1cRBX  0RCX  0x7fffffffc478 —▸ 0x7fffffffc82b ◂— 'SYSTEMD_EXEC_PID=1816'RDX  0x7ffff7fe0d60 ◂— endbr64 RDI  0x7ffff7ffe190 —▸ 0x555555554000 ◂— 0x10102464c457fRSI  0x7ffff7ffe730 ◂— 0R8   0R9   2R10  0xfR11  0R12  0x5555555550e0 ◂— endbr64 R13  0x7fffffffc460 ◂— 1R14  0R15  0RBP  0RSP  0x7fffffffc460 ◂— 1RIP  0x5555555550e0 ◂— endbr64 
────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────► 0x5555555550e0    endbr64 0x5555555550e4    xor    ebp, ebp                    EBP => 00x5555555550e6    mov    r9, rdx                     R9 => 0x7ffff7fe0d60 ◂— endbr64 0x5555555550e9    pop    rsi                         RSI => 10x5555555550ea    mov    rdx, rsp                    RDX => 0x7fffffffc468 —▸ 0x7fffffffc80b ◂— '/home/a5rz/Desktop/pwn/file/pwn'0x5555555550ed    and    rsp, 0xfffffffffffffff0     RSP => 0x7fffffffc460 (0x7fffffffc468 & -0x10)0x5555555550f1    push   rax0x5555555550f2    push   rsp0x5555555550f3    lea    r8, [rip + 0x426]           R8 => 0x555555555520 ◂— endbr64 0x5555555550fa    lea    rcx, [rip + 0x3af]          RCX => 0x5555555554b0 ◂— endbr64 0x555555555101    lea    rdi, [rip + 0x385]          RDI => 0x55555555548d ◂— endbr64 
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ r13 rsp 0x7fffffffc460 ◂— 1
01:00080x7fffffffc468 —▸ 0x7fffffffc80b ◂— '/home/a5rz/Desktop/pwn/file/pwn'
02:00100x7fffffffc470 ◂— 0
03:0018│ rcx     0x7fffffffc478 —▸ 0x7fffffffc82b ◂— 'SYSTEMD_EXEC_PID=1816'
04:00200x7fffffffc480 —▸ 0x7fffffffc841 ◂— 'SSH_AUTH_SOCK=/run/user/1000/keyring/ssh'
05:00280x7fffffffc488 —▸ 0x7fffffffc86a ◂— 'SESSION_MANAGER=local/ubuntu:@/tmp/.ICE-unix/1816,unix/ubuntu:/tmp/.ICE-unix/1816'
06:00300x7fffffffc490 —▸ 0x7fffffffc8bc ◂— 'PAPERSIZE=a4'
07:00380x7fffffffc498 —▸ 0x7fffffffc8c9 ◂— 'GNOME_TERMINAL_SCREEN=/org/gnome/Terminal/screen/aab6f309_847c_4363_b37f_36574de33f67'
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────► 0   0x5555555550e01              0x12   0x7fffffffc80b3              0x0
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> b *$rebase(0x1444)
Breakpoint 2 at 0x555555555401
pwndbg> run
Starting program: /home/a5rz/Desktop/pwn/file/pwn

Please input your name: aaaaaaaa%p%p%p%p%p%p%p%p%p%p%p%pBreakpoint 2, 0x0000555555555444 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────RAX  0RBX  0x5555555554b0 ◂— endbr64 RCX  0RDX  1RDI  0x7fffffffc2e0 ◂— 'aaaaaaaa%p%p%p%p%p%p%p%p%p%p%p%pSomething strange here'RSI  0x7fffffffc2af ◂— 0x1000000200a /* '\n ' */R8   0x18R9   0x18R10  0x555555556008 ◂— 'Please input your name: 'R11  0x246R12  0x5555555550e0 ◂— endbr64 R13  0x7fffffffc460 ◂— 1R14  0R15  0RBP  0x7fffffffc320 —▸ 0x7fffffffc360 —▸ 0x7fffffffc370 ◂— 0RSP  0x7fffffffc2d0 ◂— 0RIP  0x555555555444 ◂— call 0x5555555550b0
────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────► 0x555555555444    call   printf@plt                  <printf@plt>format: 0x7fffffffc2e0 ◂— 'aaaaaaaa%p%p%p%p%p%p%p%p%p%p%p%pSomething strange here'vararg: 0x7fffffffc2af ◂— 0x1000000200a /* '\n ' */0x555555555449    mov    eax, dword ptr [rip + 0x2bfd]     EAX, [0x55555555804c]0x55555555544f    sub    eax, 10x555555555452    mov    dword ptr [rip + 0x2bf4], eax0x555555555458    lea    rdi, [rip + 0xbd9]                RDI => 0x555555556038 ◂— 'There will be a gift for you here . . .'0x55555555545f    call   puts@plt                    <puts@plt>0x555555555464    jmp    0x555555555472              <0x555555555472>0x555555555472    mov    eax, 0                       EAX => 00x555555555477    mov    rdx, qword ptr [rbp - 8]0x55555555547b    xor    rdx, qword ptr fs:[0x28]0x555555555484    je     0x55555555548b              <0x55555555548b>
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffc2d0 ◂— 0
01:0008-048 0x7fffffffc2d8 ◂— 0xf7fc37d0f7fc25c0
02:0010│ rdi 0x7fffffffc2e0 ◂— 'aaaaaaaa%p%p%p%p%p%p%p%p%p%p%p%pSomething strange here'
03:0018-038 0x7fffffffc2e8 ◂— '%p%p%p%p%p%p%p%p%p%p%p%pSomething strange here'
...2 skipped
06:0030-020 0x7fffffffc300 ◂— 'Something strange here'
07:0038-018 0x7fffffffc308 ◂— 'g strange here'
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────► 0   0x5555555554441   0x5555555553bc2   0x5555555554a93   0x7ffff7df9083 __libc_start_main+2434   0x55555555510e
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> stack 90
00:0000│ rsp 0x7fffffffc2d0 ◂— 0
01:0008-048 0x7fffffffc2d8 ◂— 0xf7fc37d0f7fc25c0
02:0010│ rdi 0x7fffffffc2e0 ◂— 'aaaaaaaa%p%p%p%p%p%p%p%p%p%p%p%pSomething strange here'
03:0018-038 0x7fffffffc2e8 ◂— '%p%p%p%p%p%p%p%p%p%p%p%pSomething strange here'
...2 skipped
06:0030-020 0x7fffffffc300 ◂— 'Something strange here'
07:0038-018 0x7fffffffc308 ◂— 'g strange here'
08:0040-010 0x7fffffffc310 ◂— 0x657265682065 /* 'e here' */
09:0048-008 0x7fffffffc318 ◂— 0x4d8fe1de9078d800
0a:0050│ rbp 0x7fffffffc320 —▸ 0x7fffffffc360 —▸ 0x7fffffffc370 ◂— 0
0b:0058+008 0x7fffffffc328 —▸ 0x5555555553bc ◂— mov eax, 0
0c:0060+010 0x7fffffffc330 ◂— 'welcome to WuCup !'
0d:0068+018 0x7fffffffc338 ◂— 'to WuCup !'
0e:0070+020 0x7fffffffc340 ◂— 0x555555002120 /* ' !' */
0f:0078+028 0x7fffffffc348 —▸ 0x7fffffffc460 ◂— 1
10:0080+030 0x7fffffffc350 ◂— 0
11:0088+038 0x7fffffffc358 ◂— 0x4d8fe1de9078d800
12:0090+040 0x7fffffffc360 —▸ 0x7fffffffc370 ◂— 0
13:0098+048 0x7fffffffc368 —▸ 0x5555555554a9 ◂— mov eax, 0
14:00a0│+050 0x7fffffffc370 ◂— 0
15:00a8│+058 0x7fffffffc378 —▸ 0x7ffff7df9083 (__libc_start_main+243) ◂— mov edi, eax
16:00b0│+060 0x7fffffffc380 —▸ 0x7ffff7ffc620 (_rtld_global_ro) ◂— 0x50fa700000000
17:00b8│+068 0x7fffffffc388 —▸ 0x7fffffffc468 —▸ 0x7fffffffc80b ◂— '/home/a5rz/Desktop/pwn/file/pwn'
18:00c0│+070 0x7fffffffc390 ◂— 0x100000000
19:00c8│+078 0x7fffffffc398 —▸ 0x55555555548d ◂— endbr64 
1a:00d0│+080 0x7fffffffc3a0 —▸ 0x5555555554b0 ◂— endbr64 
1b:00d8│+088 0x7fffffffc3a8 ◂— 0xb19ed39ac14d0a56
1c:00e0+090 0x7fffffffc3b0 —▸ 0x5555555550e0 ◂— endbr64 
1d:00e8+098 0x7fffffffc3b8 —▸ 0x7fffffffc460 ◂— 1
1e:00f0+0a0 0x7fffffffc3c0 ◂— 0
1f:00f8+0a8 0x7fffffffc3c8 ◂— 0
20:0100+0b0 0x7fffffffc3d0 ◂— 0x4e612c65464d0a56 ('V\nMFe,aN')
21:0108+0b8 0x7fffffffc3d8 ◂— 0x4e613c25e1230a56
22:0110+0c0 0x7fffffffc3e0 ◂— 0
...2 skipped
25:0128+0d8 0x7fffffffc3f8 ◂— 1
26:0130+0e0 0x7fffffffc400 —▸ 0x7fffffffc468 —▸ 0x7fffffffc80b ◂— '/home/a5rz/Desktop/pwn/file/pwn'
27:0138+0e8 0x7fffffffc408 —▸ 0x7fffffffc478 —▸ 0x7fffffffc82b ◂— 'SYSTEMD_EXEC_PID=1816'
28:0140+0f0 0x7fffffffc410 —▸ 0x7ffff7ffe190 —▸ 0x555555554000 ◂— 0x10102464c457f
29:0148+0f8 0x7fffffffc418 ◂— 0
2a:0150+100 0x7fffffffc420 ◂— 0
2b:0158+108 0x7fffffffc428 —▸ 0x5555555550e0 ◂— endbr64 
2c:0160+110 0x7fffffffc430 —▸ 0x7fffffffc460 ◂— 1
2d:0168+118 0x7fffffffc438 ◂— 0
2e:0170+120 0x7fffffffc440 ◂— 0
2f:0178+128 0x7fffffffc448 —▸ 0x55555555510e ◂— hlt 
30:0180+130 0x7fffffffc450 —▸ 0x7fffffffc458 ◂— 0x1c
31:0188+138 0x7fffffffc458 ◂— 0x1c
32:0190│ r13 0x7fffffffc460 ◂— 1
33:0198+148 0x7fffffffc468 —▸ 0x7fffffffc80b ◂— '/home/a5rz/Desktop/pwn/file/pwn'
34:01a0│+150 0x7fffffffc470 ◂— 0
35:01a8│+158 0x7fffffffc478 —▸ 0x7fffffffc82b ◂— 'SYSTEMD_EXEC_PID=1816'
36:01b0│+160 0x7fffffffc480 —▸ 0x7fffffffc841 ◂— 'SSH_AUTH_SOCK=/run/user/1000/keyring/ssh'
37:01b8│+168 0x7fffffffc488 —▸ 0x7fffffffc86a ◂— 'SESSION_MANAGER=local/ubuntu:@/tmp/.ICE-unix/1816,unix/ubuntu:/tmp/.ICE-unix/1816'
38:01c0│+170 0x7fffffffc490 —▸ 0x7fffffffc8bc ◂— 'PAPERSIZE=a4'
39:01c8│+178 0x7fffffffc498 —▸ 0x7fffffffc8c9 ◂— 'GNOME_TERMINAL_SCREEN=/org/gnome/Terminal/screen/aab6f309_847c_4363_b37f_36574de33f67'
3a:01d0│+180 0x7fffffffc4a0 —▸ 0x7fffffffc91f ◂— 'LANGUAGE=zh_CN:en_GB:en'
3b:01d8│+188 0x7fffffffc4a8 —▸ 0x7fffffffc937 ◂— 'LANG=zh_CN.UTF-8'
3c:01e0+190 0x7fffffffc4b0 —▸ 0x7fffffffc948 ◂— 'WAYLAND_DISPLAY=wayland-0'
3d:01e8+198 0x7fffffffc4b8 —▸ 0x7fffffffc962 ◂— 'LC_IDENTIFICATION=zh_CN.UTF-8'
3e:01f0+1a0 0x7fffffffc4c0 —▸ 0x7fffffffc980 ◂— 'XDG_SESSION_CLASS=user'
3f:01f8+1a8 0x7fffffffc4c8 —▸ 0x7fffffffc997 ◂— 'XDG_CURRENT_DESKTOP=ubuntu:GNOME'
40:0200+1b0 0x7fffffffc4d0 —▸ 0x7fffffffc9b8 ◂— 'PWD=/home/a5rz/Desktop/pwn/file'
41:0208+1b8 0x7fffffffc4d8 —▸ 0x7fffffffc9d8 ◂— 'QT_IM_MODULE=ibus'
42:0210+1c0 0x7fffffffc4e0 —▸ 0x7fffffffc9ea ◂— 'USER=a5rz'
43:0218+1c8 0x7fffffffc4e8 —▸ 0x7fffffffc9f4 ◂— 'DESKTOP_SESSION=ubuntu'
44:0220+1d0 0x7fffffffc4f0 —▸ 0x7fffffffca0b ◂— 'XDG_MENU_PREFIX=gnome-'
45:0228+1d8 0x7fffffffc4f8 —▸ 0x7fffffffca22 ◂— 'OLDPWD=/home/a5rz/Desktop/pwn/file'
46:0230+1e0 0x7fffffffc500 —▸ 0x7fffffffca45 ◂— 'LC_MEASUREMENT=zh_CN.UTF-8'
47:0238+1e8 0x7fffffffc508 —▸ 0x7fffffffca60 ◂— 'DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus,guid=648017a497f89697dfa1bf47674d827a'
48:0240+1f0 0x7fffffffc510 —▸ 0x7fffffffcabc ◂— 'LC_NUMERIC=zh_CN.UTF-8'
49:0248+1f8 0x7fffffffc518 —▸ 0x7fffffffcad3 ◂— 'SSH_AGENT_LAUNCHER=gnome-keyring'
4a:0250+200 0x7fffffffc520 —▸ 0x7fffffffcaf4 ◂— '_=/home/a5rz/Desktop/pwn/file/pwn'
4b:0258+208 0x7fffffffc528 —▸ 0x7fffffffcb16 ◂— 'GTK_MODULES=gail:atk-bridge'
4c:0260+210 0x7fffffffc530 —▸ 0x7fffffffcb32 ◂— 'VTE_VERSION=6800'
4d:0268+218 0x7fffffffc538 —▸ 0x7fffffffcb43 ◂— 'XDG_SESSION_DESKTOP=ubuntu'
4e:0270+220 0x7fffffffc540 —▸ 0x7fffffffcb5e ◂— 'QT_ACCESSIBILITY=1'
4f:0278+228 0x7fffffffc548 —▸ 0x7fffffffcb71 ◂— 'GNOME_DESKTOP_SESSION_ID=this-is-deprecated'
50:0280+230 0x7fffffffc550 —▸ 0x7fffffffcb9d ◂— 'GNOME_SETUP_DISPLAY=:1'
51:0288+238 0x7fffffffc558 —▸ 0x7fffffffcbb4 ◂— 'LC_TIME=zh_CN.UTF-8'
52:0290+240 0x7fffffffc560 —▸ 0x7fffffffcbc8 ◂— 'LOGNAME=a5rz'
53:0298+248 0x7fffffffc568 —▸ 0x7fffffffcbd5 ◂— 'GNOME_TERMINAL_SERVICE=:1.112'
54:02a0│+250 0x7fffffffc570 —▸ 0x7fffffffcbf3 ◂— 'LC_PAPER=zh_CN.UTF-8'
55:02a8│+258 0x7fffffffc578 —▸ 0x7fffffffcc08 ◂— 'HOME=/home/a5rz'
56:02b0│+260 0x7fffffffc580 —▸ 0x7fffffffcc18 ◂— 'GNOME_SHELL_SESSION_MODE=ubuntu'
57:02b8│+268 0x7fffffffc588 —▸ 0x7fffffffcc38 ◂— 'XDG_DATA_DIRS=/usr/local/share/:/usr/share/:/var/lib/snapd/desktop'
58:02c0│+270 0x7fffffffc590 —▸ 0x7fffffffcc7b ◂— 'XMODIFIERS=@im=ibus'
59:02c8│+278 0x7fffffffc598 —▸ 0x7fffffffcc8f ◂— 'XDG_RUNTIME_DIR=/run/user/1000'

pwndbg> ni
aaaaaaaa0x7fffffffc2af0x1(nil)0x180x18(nil)0xf7fc37d0f7fc25c00x61616161616161610x70257025702570250x70257025702570250x70257025702570250x6e696874656d6f53Something

aaaaaaaa
0x7fffffffc2af
0x1
(nil)
0x18
0x18
(nil)
0xf7fc37d0f7fc25c0
0x6161616161616161
0x70257025702570250x70257025702570250x70257025702570250x6e696874656d6f53Something

得知偏移量为8,验证

pwndbg> run
Starting program: /home/a5rz/Desktop/pwn/file/pwn 
Please input your name: aaaaaaaa%8$pBreakpoint 2, 0x0000555555555444 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────RAX  0RBX  0x5555555554b0 ◂— endbr64 RCX  0RDX  1RDI  0x7fffffffc2e0 ◂— 0x6161616161616161 ('aaaaaaaa')RSI  0x7fffffffc2af ◂— 0x10000000c0a /* '\n\x0c' */R8   0x18R9   0x18R10  0x555555556008 ◂— 'Please input your name: 'R11  0x246R12  0x5555555550e0 ◂— endbr64 R13  0x7fffffffc460 ◂— 1R14  0R15  0RBP  0x7fffffffc320 —▸ 0x7fffffffc360 —▸ 0x7fffffffc370 ◂— 0RSP  0x7fffffffc2d0 ◂— 0RIP  0x555555555444 ◂— call 0x5555555550b0
────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────► 0x555555555444    call   printf@plt                  <printf@plt>format: 0x7fffffffc2e0 ◂— 0x6161616161616161 ('aaaaaaaa')vararg: 0x7fffffffc2af ◂— 0x10000000c0a /* '\n\x0c' */0x555555555449    mov    eax, dword ptr [rip + 0x2bfd]     EAX, [0x55555555804c]0x55555555544f    sub    eax, 10x555555555452    mov    dword ptr [rip + 0x2bf4], eax0x555555555458    lea    rdi, [rip + 0xbd9]                RDI => 0x555555556038 ◂— 'There will be a gift for you here . . .'0x55555555545f    call   puts@plt                    <puts@plt>0x555555555464    jmp    0x555555555472              <0x555555555472>0x555555555472    mov    eax, 0                       EAX => 00x555555555477    mov    rdx, qword ptr [rbp - 8]0x55555555547b    xor    rdx, qword ptr fs:[0x28]0x555555555484    je     0x55555555548b              <0x55555555548b>
─────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffc2d0 ◂— 0
01:0008-048 0x7fffffffc2d8 ◂— 0xf7fc37d0f7fc25c0
02:0010│ rdi 0x7fffffffc2e0 ◂— 0x6161616161616161 ('aaaaaaaa')
03:0018-038 0x7fffffffc2e8 ◂— 0x7fff70243825
04:0020-030 0x7fffffffc2f0 ◂— 0
05:0028-028 0x7fffffffc2f8 —▸ 0x7fffffffc300 ◂— 'Something strange here'
06:0030-020 0x7fffffffc300 ◂— 'Something strange here'
07:0038-018 0x7fffffffc308 ◂— 'g strange here'
───────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────► 0   0x5555555554441   0x5555555553bc2   0x5555555554a93   0x7ffff7df9083 __libc_start_main+2434   0x55555555510e
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.
aaaaaaaa0x6161616161616161�There will be a gift for you here . . .
[Inferior 1 (process 3806) exited normally]

ebp总是指向上一个ebp,我们可以使用这个特性用第一个ebp改写第二个ebp,再用第二个ebp作为跳板更改栈上任意地址?

pwndbg> stack 60
00:0000│ rsp 0x7fffffffc2d0 ◂— 0
01:0008-048 0x7fffffffc2d8 ◂— 0xf7fc37d0f7fc25c0
02:0010│ rdi 0x7fffffffc2e0 ◂— 0x30 /* '0' */
03:0018-038 0x7fffffffc2e8 —▸ 0x7ffff7e67525 ◂— cmp eax, -1
04:0020-030 0x7fffffffc2f0 ◂— 0
05:0028-028 0x7fffffffc2f8 —▸ 0x7fffffffc300 ◂— 'Something strange here'
06:0030-020 0x7fffffffc300 ◂— 'Something strange here'
07:0038-018 0x7fffffffc308 ◂— 'g strange here'
08:0040-010 0x7fffffffc310 ◂— 0x657265682065 /* 'e here' */
09:0048-008 0x7fffffffc318 ◂— 0x1fdd857982303200
0a:0050│ rbp 0x7fffffffc320 —▸ 0x7fffffffc360 —▸ 0x7fffffffc370 ◂— 0
0b:0058+008 0x7fffffffc328 —▸ 0x5555555553bc ◂— mov eax, 0
0c:0060+010 0x7fffffffc330 ◂— 'welcome to WuCup !'
0d:0068+018 0x7fffffffc338 ◂— 'to WuCup !'
0e:0070+020 0x7fffffffc340 ◂— 0x555555002120 /* ' !' */
0f:0078+028 0x7fffffffc348 —▸ 0x7fffffffc460 ◂— 1
10:0080+030 0x7fffffffc350 ◂— 0
11:0088+038 0x7fffffffc358 ◂— 0x1fdd857982303200
12:0090+040 0x7fffffffc360 —▸ 0x7fffffffc370 ◂— 0
13:0098+048 0x7fffffffc368 —▸ 0x5555555554a9 ◂— mov eax, 0
14:00a0│+050 0x7fffffffc370 ◂— 0
15:00a8│+058 0x7fffffffc378 —▸ 0x7ffff7df9083 (__libc_start_main+243) ◂— mov edi, eax
16:00b0│+060 0x7fffffffc380 —▸ 0x7ffff7ffc620 (_rtld_global_ro) ◂— 0x50fa700000000
17:00b8│+068 0x7fffffffc388 —▸ 0x7fffffffc468 —▸ 0x7fffffffc80b ◂— '/home/a5rz/Desktop/pwn/file/pwn'
18:00c0│+070 0x7fffffffc390 ◂— 0x100000000
19:00c8│+078 0x7fffffffc398 —▸ 0x55555555548d ◂— endbr64 
1a:00d0│+080 0x7fffffffc3a0 —▸ 0x5555555554b0 ◂— endbr64 
1b:00d8│+088 0x7fffffffc3a8 ◂— 0x3d68c2224b0eb8ed
1c:00e0+090 0x7fffffffc3b0 —▸ 0x5555555550e0 ◂— endbr64 
1d:00e8+098 0x7fffffffc3b8 —▸ 0x7fffffffc460 ◂— 1
1e:00f0+0a0 0x7fffffffc3c0 ◂— 0
1f:00f8+0a8 0x7fffffffc3c8 ◂— 0
20:0100+0b0 0x7fffffffc3d0 ◂— 0xc2973dddcc0eb8ed
21:0108+0b8 0x7fffffffc3d8 ◂— 0xc2972d9d6b60b8ed
22:0110+0c0 0x7fffffffc3e0 ◂— 0
...2 skipped
25:0128+0d8 0x7fffffffc3f8 ◂— 1
26:0130+0e0 0x7fffffffc400 —▸ 0x7fffffffc468 —▸ 0x7fffffffc80b ◂— '/home/a5rz/Desktop/pwn/file/pwn'
27:0138+0e8 0x7fffffffc408 —▸ 0x7fffffffc478 —▸ 0x7fffffffc82b ◂— 'SYSTEMD_EXEC_PID=1816'
28:0140+0f0 0x7fffffffc410 —▸ 0x7ffff7ffe190 —▸ 0x555555554000 ◂— 0x10102464c457f
29:0148+0f8 0x7fffffffc418 ◂— 0
2a:0150+100 0x7fffffffc420 ◂— 0
2b:0158+108 0x7fffffffc428 —▸ 0x5555555550e0 ◂— endbr64 
2c:0160+110 0x7fffffffc430 —▸ 0x7fffffffc460 ◂— 1
2d:0168+118 0x7fffffffc438 ◂— 0
2e:0170+120 0x7fffffffc440 ◂— 0
2f:0178+128 0x7fffffffc448 —▸ 0x55555555510e ◂— hlt 
30:0180+130 0x7fffffffc450 —▸ 0x7fffffffc458 ◂— 0x1c
31:0188+138 0x7fffffffc458 ◂— 0x1c
32:0190│ r13 0x7fffffffc460 ◂— 1
33:0198+148 0x7fffffffc468 —▸ 0x7fffffffc80b ◂— '/home/a5rz/Desktop/pwn/file/pwn'
34:01a0│+150 0x7fffffffc470 ◂— 0
35:01a8│+158 0x7fffffffc478 —▸ 0x7fffffffc82b ◂— 'SYSTEMD_EXEC_PID=1816'
36:01b0│+160 0x7fffffffc480 —▸ 0x7fffffffc841 ◂— 'SSH_AUTH_SOCK=/run/user/1000/keyring/ssh'
37:01b8│+168 0x7fffffffc488 —▸ 0x7fffffffc86a ◂— 'SESSION_MANAGER=local/ubuntu:@/tmp/.ICE-unix/1816,unix/ubuntu:/tmp/.ICE-unix/1816'
38:01c0│+170 0x7fffffffc490 —▸ 0x7fffffffc8bc ◂— 'PAPERSIZE=a4'
39:01c8│+178 0x7fffffffc498 —▸ 0x7fffffffc8c9 ◂— 'GNOME_TERMINAL_SCREEN=/org/gnome/Terminal/screen/aab6f309_847c_4363_b37f_36574de33f67'
3a:01d0│+180 0x7fffffffc4a0 —▸ 0x7fffffffc91f ◂— 'LANGUAGE=zh_CN:en_GB:en'
3b:01d8│+188 0x7fffffffc4a8 —▸ 0x7fffffffc937 ◂— 'LANG=zh_CN.UTF-8'

确实没思路了,有没有师傅能发个wp或指点一下?谢谢了,先看看另一道web&pwn了

相关文章:

CTF-PWN: 全保护下格式化字符串利用 [第一届“吾杯”网络安全技能大赛 如果能重来] 赛后学习(没思路了)

通过网盘分享的文件&#xff1a;如果能重来.zip 链接: https://pan.baidu.com/s/1XKIJx32nWVcSpKiWFQGpYA?pwd1111 提取码: 1111 --来自百度网盘超级会员v2的分享漏洞分析 格式化字符串漏洞,在printf(format); __int64 sub_13D7() {char format[56]; // [rsp10h] [rbp-40h]…...

编程日记 2024/12/3 18:06:25

C++学习日记---第16天

笔记复习 1.C对象模型 在C中&#xff0c;类内的成员变量和成员函数分开存储 我们知道&#xff0c;C中的成员变量和成员函数均可分为两种&#xff0c;一种是普通的&#xff0c;一种是静态的&#xff0c;对于静态成员变量和静态成员函数&#xff0c;我们知道他们不属于类的对象…...

编程日记 2024/12/3 18:01:18

SOA、分布式、微服务之间的关系和区别?

在当今的软件开发领域&#xff0c;SOA&#xff08;面向服务架构&#xff09;、分布式系统和微服务是三个重要的概念。它们各自有着独特的特性和应用场景&#xff0c;同时也存在着密切的关系。以下是关于这三者之间关系和区别的详细分析&#xff1a; 关系 分布式架构的范畴&…...

编程日记 2024/12/3 18:00:17

java基础概念46-数据结构1

一、引入 List集合的三种实现类使用了不同的数据结构&#xff01; 二、数据结构的定义 三、常见的数据结构 3-1、栈 特点&#xff1a;先进后出&#xff0c;后进先出。 java内存容器&#xff1a; 3-2、队列 特点&#xff1a;先进先出、后进后出。 栈VS队列-小结 3-3、数组 3-…...

编程日记 2024/12/3 17:54:10

Node.js-Mongodb数据库

MongoDB MongoDB是什么&#xff1f; MongoDB是一个基于分布式文件存储的数据库 数据库是什么&#xff1f; 数据库&#xff08;DataBase&#xff09;是按照数据结构来组织、存储和管理数据的应用程序&#xff08;软件&#xff09; 数据库作用&#xff1f; 对数据进行增、删…...

编程日记 2024/12/3 17:53:08

STM32 ADC --- 知识点总结

STM32 ADC — 知识点总结 文章目录 STM32 ADC --- 知识点总结cubeMX中配置注解单次转换模式、连续转换模式、扫描模式单通道采样的情况单次转换模式&#xff1a;连续转换模式&#xff1a; 多通道采样的情况禁止扫描模式&#xff08;单次转换模式或连续转换模式&#xff09;单次…...

编程日记 2024/12/3 17:50:02

技术创新与人才培养并重 软通动力子公司鸿湖万联亮相OpenHarmony人才生态大会

11月27日&#xff0c;由开放原子开源基金会指导&#xff0c;OpenHarmony项目群工作委员会主办的OpenHarmony人才生态大会2024在武汉隆重举办。软通动力子公司鸿湖万联作为OpenHarmony项目群A类捐赠人应邀出席。大会期间&#xff0c;鸿湖万联不仅深度参与了OpenHarmony人才生态年…...

编程日记 2024/12/3 17:47:57

兔子繁衍问题

7-2 兔子繁衍问题 分数 15 全屏浏览 切换布局 作者 徐镜春 单位 浙江大学 一对兔子&#xff0c;从出生后第3个月起每个月都生一对兔子。小兔子长到第3个月后每个月又生一对兔子。假如兔子都不死&#xff0c;请问第1个月出生的一对兔子&#xff0c;至少需要繁衍到第几个月时兔…...

编程日记 2024/12/3 17:41:48

汉代风云人物 1晁错

晁错曾是汉景帝的老师。汉景帝登基后&#xff0c;晁错提出削藩建议&#xff0c;这一举措遭到诸多藩国诸侯的强烈反对&#xff0c;由此引发了紧张局势。 袁盎此前曾担任吴国的宰相&#xff0c;晁错觉得袁盎与吴国等藩国关系密切&#xff0c;很可能知晓藩王们谋反的相关情况却没…...

编程日记 2024/12/3 17:40:47

学习threejs,使用specularMap设置高光贴图

&#x1f468;‍⚕️ 主页&#xff1a; gis分享者 &#x1f468;‍⚕️ 感谢各位大佬 点赞&#x1f44d; 收藏⭐ 留言&#x1f4dd; 加关注✅! &#x1f468;‍⚕️ 收录于专栏&#xff1a;threejs gis工程师 文章目录 一、&#x1f340;前言1.1 ☘️THREE.MeshPhongMaterial高…...

编程日记 2024/12/3 17:39:45

【UE5 C++】判断两点连线是否穿过球体

目录 前言 方法一 原理 代码 测试 结果 方法二 原理 一、检查连线与球体的相交情况 二、检查距离与球体半径的关系 三、检查连线与球体的相交 代码 前言 通过数学原理判断空间中任意两点的连线是否穿过球体&#xff0c;再通过射线检测检验算法的正确性。 方法一 …...

编程日记 2024/12/3 17:38:43

【Blender】如何创建空心管道

步骤 1&#xff1a;创建一个圆柱体 添加圆柱体&#xff1a; 在 Object Mode 下按 Shift A > Mesh > Cylinder。 步骤 2&#xff1a;制作空心效果 进入编辑模式&#xff1a; 选中圆柱体&#xff0c;按 Tab 进入 Edit Mode。 删除顶部和底部面&#xff1a; 按 3 进入面选…...

编程日记 2024/12/3 17:37:40

ChromeBook11 HP G7EE 刷入Ubuntu的记录

设置开发模式-> 拆电池(解锁)-> 刷入bios ->使用u盘刷入系统。 下面是详细过程&#xff0c;除了拆机有点紧&#xff0c;没有难度(我不负责&#xff5e; 其实我试了好几次其他系统的&#xff0c;先进了pe&#xff0c;pe没问题(音频x)&#xff0c;有一个win10的u盘(几个…...

编程日记 2024/12/3 17:33:34

16asm - 汇编介绍 和 debug使用

文章目录 前言硬件运行机制微机系统硬件组成计算机系统组成8086cpu组织架构dosbox安装配置debug debug使用R命令D命令E命令U命令T命令A命令标志寄存器 总结 前言 各位师傅大家好&#xff0c;我是qmx_07&#xff0c;今天给大家讲解 十六位汇编 和 debug调试器的使用 硬件运行…...

编程日记 2024/12/3 17:32:32

初识QT第一天

思维导图 利用Qt尝试做出原神登陆界面 import sys from PyQt6.QtGui import QIcon, QPixmap, QMovie from PyQt6.QtWidgets import QApplication, QWidget, QLabel, QPushButton, QLineEdit# 封装原神窗口类 class Genshin(QWidget):# 构造函数def __init__(self):# 初始化父类…...

编程日记 2024/12/3 17:28:26

ChatGPT科研应用、论文写作、课题申报、数据分析与AI绘图

随着人工智能技术的飞速发展&#xff0c;ChatGPT等先进语言模型正深刻改变着科研工作的面貌。从科研灵感的激发、论文的高效撰写&#xff0c;到课题的成功申报&#xff0c;乃至复杂数据的深度分析与可视化呈现&#xff0c;AI技术均展现出前所未有的潜力。其实众多科研前沿工作者…...

编程日记 2024/12/3 17:26:22

原子类、AtomicLong、AtomicReference、AtomicIntegerFieldUpdater、LongAdder

原子类 JDK提供的原子类&#xff0c;即Atomic*类有很多&#xff0c;大体可做如下分类&#xff1a; 形式类别举例Atomic*基本类型原子类AtomicInteger、AtomicLong、AtomicBooleanAtomic*Array数组类型原子类AtomicIntegerArray、AtomicLongArray、AtomicReferenceArrayAtomic…...

编程日记 2024/12/3 17:25:21

c语言——数组名该如何理解呢?

一般情况下&#xff0c;数组名表示首元素地址&#xff0c;以下2种除外&#xff1a; ①、sizeof(数组名) 表示整个数组 ※只有数组名的情况 sizeof&#xff08;数组名i&#xff09; 就不能表示整个数组 ②、&数组名 表示整个数组&#xff0c;取的是整个数…...

编程日记 2024/12/3 17:24:20

Linux学习笔记13 系统进程管理

前文 Linux学习笔记10 系统启动初始化&#xff0c;服务和进程管理&#xff08;上&#xff09;-CSDN博客 Linux学习笔记11 系统启动初始化&#xff0c;服务和进程管理&#xff08;下&#xff09;-CSDN博客 Linux学习笔记12 systemd的其他命令-CSDN博客 之前学习了怎么使用sy…...

编程日记 2024/12/3 17:22:13

Spring Boot 项目集成camunda流程引擎

Spring Boot 项目集成camunda流程引擎 camunda地址 camunda中文地址 使用camunda开源工作流引擎有&#xff1a;通过docker运行、使用springboot集成、部署camunda发行包、基于源代码编译运行等多种方式。 文本重点介绍如何在Spring Boot应用程序中如何集成Camunda Platform开…...

编程日记 2024/12/3 17:17:06

Linux应用开发之网络套接字编程(实例篇)

服务端与客户端单连接 服务端代码 #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <arpa/inet.h> #include <pthread.h> …...

编程新知 2025/12/14 9:57:49

深度学习在微纳光子学中的应用

深度学习在微纳光子学中的主要应用方向 深度学习与微纳光子学的结合主要集中在以下几个方向&#xff1a; 逆向设计 通过神经网络快速预测微纳结构的光学响应&#xff0c;替代传统耗时的数值模拟方法。例如设计超表面、光子晶体等结构。 特征提取与优化 从复杂的光学数据中自…...

编程新知 2025/12/14 9:58:04

【位运算】消失的两个数字(hard)

消失的两个数字&#xff08;hard&#xff09; 题⽬描述&#xff1a;解法&#xff08;位运算&#xff09;&#xff1a;Java 算法代码&#xff1a;更简便代码 题⽬链接&#xff1a;⾯试题 17.19. 消失的两个数字 题⽬描述&#xff1a; 给定⼀个数组&#xff0c;包含从 1 到 N 所有…...

编程新知 2025/11/15 16:18:24

1.3 VSCode安装与环境配置

进入网址Visual Studio Code - Code Editing. Redefined下载.deb文件&#xff0c;然后打开终端&#xff0c;进入下载文件夹&#xff0c;键入命令 sudo dpkg -i code_1.100.3-1748872405_amd64.deb 在终端键入命令code即启动vscode 需要安装插件列表 1.Chinese简化 2.ros …...

编程新知 2025/12/9 2:37:58

拉力测试cuda pytorch 把 4070显卡拉满

import torch import timedef stress_test_gpu(matrix_size16384, duration300):"""对GPU进行压力测试&#xff0c;通过持续的矩阵乘法来最大化GPU利用率参数:matrix_size: 矩阵维度大小&#xff0c;增大可提高计算复杂度duration: 测试持续时间&#xff08;秒&…...

编程新知 2025/12/7 12:35:20

Maven 概述、安装、配置、仓库、私服详解

目录 1、Maven 概述 1.1 Maven 的定义 1.2 Maven 解决的问题 1.3 Maven 的核心特性与优势 2、Maven 安装 2.1 下载 Maven 2.2 安装配置 Maven 2.3 测试安装 2.4 修改 Maven 本地仓库的默认路径 3、Maven 配置 3.1 配置本地仓库 3.2 配置 JDK 3.3 IDEA 配置本地 Ma…...

编程新知 2025/12/5 12:22:46

AI,如何重构理解、匹配与决策?

AI 时代&#xff0c;我们如何理解消费&#xff1f; 作者&#xff5c;王彬 封面&#xff5c;Unplash 人们通过信息理解世界。 曾几何时&#xff0c;PC 与移动互联网重塑了人们的购物路径&#xff1a;信息变得唾手可得&#xff0c;商品决策变得高度依赖内容。 但 AI 时代的来…...

编程新知 2025/12/10 8:15:52

Linux离线(zip方式)安装docker

目录 基础信息操作系统信息docker信息 安装实例安装步骤示例 遇到的问题问题1&#xff1a;修改默认工作路径启动失败问题2 找不到对应组 基础信息 操作系统信息 OS版本&#xff1a;CentOS 7 64位 内核版本&#xff1a;3.10.0 相关命令&#xff1a; uname -rcat /etc/os-rele…...

编程新知 2025/11/23 23:50:53

A2A JS SDK 完整教程:快速入门指南

目录 什么是 A2A JS SDK?A2A JS 安装与设置A2A JS 核心概念创建你的第一个 A2A JS 代理A2A JS 服务端开发A2A JS 客户端使用A2A JS 高级特性A2A JS 最佳实践A2A JS 故障排除 什么是 A2A JS SDK? A2A JS SDK 是一个专为 JavaScript/TypeScript 开发者设计的强大库&#xff…...

编程新知 2025/12/12 8:42:24

DingDing机器人群消息推送

文章目录 1 新建机器人2 API文档说明3 代码编写 1 新建机器人 点击群设置 下滑到群管理的机器人&#xff0c;点击进入 添加机器人 选择自定义Webhook服务 点击添加 设置安全设置&#xff0c;详见说明文档 成功后&#xff0c;记录Webhook 2 API文档说明 点击设置说明 查看自…...

编程新知 2025/12/12 8:29:24