pwnable.kr
一、要點(diǎn)
1.argc與argv
對(duì)于C語(yǔ)言int main(int argc char *argv[])來(lái)說(shuō)畸冲,argc保存的是命令行總的參數(shù)個(gè)數(shù)(包括程序名),argv這是傳入?yún)?shù)的數(shù)組.
舉個(gè)例子观腊,當(dāng)你執(zhí)行: ./test 1 2 3 時(shí)邑闲,argc = 4 而 argv[0] = test",argv[1] = 1梧油,argv[2] = 2苫耸,argv[3] = 3
2.atoi()
atoi (表示 ascii to integer)是把字符串轉(zhuǎn)換成整型數(shù)的一個(gè)函數(shù)。char ======> int
3.read()
UNIX/Linux平臺(tái)上儡陨,對(duì)于控制臺(tái)(Console)的標(biāo)準(zhǔn)輸入褪子,標(biāo)準(zhǔn)輸出,標(biāo)準(zhǔn)錯(cuò)誤輸出,也對(duì)應(yīng)了三個(gè)文件描述符(即fd = File Description )迄委。它們分別是0,1,2褐筛。也就是說(shuō)read(0,buf,32)表示從鍵盤(pán)讀入至多32個(gè)字節(jié)到buf中
二类少、解題步驟
1叙身,查看源碼
命令:cat fd.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
if(argc<2){
printf("pass argv[1] a number\n");
return 0;
}
int fd = atoi( argv[1] ) - 0x1234;
int len = 0;
len = read(fd, buf, 32);
if(!strcmp("LETMEWIN\n", buf)){
printf("good job :)\n");
system("/bin/cat flag");
exit(0);
}
printf("learn about Linux file IO\n");
return 0;
}
2,分析
由源碼可知硫狞,首先agrc要大于等于2信轿,根據(jù)提示我們要輸入一個(gè)數(shù)字argv[1],且 argv[1] - 0x1234 = fd = 0晃痴,因?yàn)?fd 影響read()函數(shù),而我們需要輸入LETMIWIN才能完成解題,所以需要是fd = 0.
3财忽,解題
注:0x1234 須轉(zhuǎn)換為十進(jìn)制數(shù) 4660
flag = mommy! I think I know what a file descriptor is!!
