• pwnable.kr 第一题fd


    使用ssh fd@pwnable.kr -p2222连接
    输入密码guest

     1 fd@prowl:~$ ls -al
     2 total 40
     3 drwxr-x--- 5 root fd 4096 Oct 26 2016 .
     4 drwxr-xr-x 114 root root 4096 May 19 15:59 ..
     5 d--------- 2 root root 4096 Jun 12 2014 .bash_history
     6 -r-sr-x--- 1 fd_pwn fd 7322 Jun 11 2014 fd
     7 -rw-r--r-- 1 root root 418 Jun 11 2014 fd.c
     8 -r--r----- 1 fd_pwn root 50 Jun 11 2014 flag
     9 -rw------- 1 root root 128 Oct 26 2016 .gdb_history
    10 dr-xr-xr-x 2 root root 4096 Dec 19 2016 .irssi
    11 drwxr-xr-x 2 root root 4096 Oct 23 2016 .pwntools-cache
    12 fd@prowl:~$ cat fd.c
    13 #include <stdio.h>
    14 #include <stdlib.h>
    15 #include <string.h>
    16 char buf[32];
    17 int main(int argc, char* argv[], char* envp[]){
    18 if(argc<2){
    19 printf("pass argv[1] a number
    ");
    20 return 0;
    21 }
    22 int fd = atoi( argv[1] ) - 0x1234;
    23 int len = 0;
    24 len = read(fd, buf, 32);
    25 if(!strcmp("LETMEWIN
    ", buf)){
    26 printf("good job :)
    ");
    27 system("/bin/cat flag");
    28 exit(0);
    29 }
    30 printf("learn about Linux file IO
    ");
    31 return 0;
    32 
    33 }
    34 
    35 fd@prowl:~$ ./fd 4660
    36 LETMEWIN
    37 good job :)
    38 mommy! I think I know what a file descriptor is!!
    39 fd@prowl:~$

    关注read()函数

    函数定义:ssize_t read(int fd, void * buf, size_t count);

    函数说明:read()会把参数fd所指的文件传送count 个字节到buf 指针所指的内存中。

    返回值:返回值为实际读取到的字节数, 如果返回0, 表示已到达文件尾或是无可读取的数据。若参数count 为0, 则read()不会有作用并返回0。

    fd == 0为标准输入 
    fd == 1为标准输出 
    fd == 2为标准错误输出 

    所以先构造fd==0,即使argv[1] 等于 0x1234(4660)

    然后输入LETMEWIN 

    得到flag:

    mommy! I think I know what a file descriptor is!!
  • 相关阅读:
    软件过程的守护神
    C++一个简单的手柄类模板
    矿Spring入门Demo
    [Docker] Prune Old Unused Docker Containers and Images
    [Ramda] Compose lenses
    [Docker] Build Your Own Custom Docker Image
    [SCSS] Reuse Styles with the SCSS @mixin Directive
    [Angular] Router outlet events
    [Angular] Subscribing to router events
    [Angular] Enable router tracing
  • 原文地址:https://www.cnblogs.com/DirWang/p/11232735.html
Copyright © 2020-2023  润新知