下載題目

sudo scp -P 2222 input2@pwnable.kr:~/* ./

查看源碼

$ cat input.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main(int argc, char* argv[], char* envp[]){
    printf("Welcome to pwnable.kr\n");
    printf("Let's see if you know how to give input to program\n");
    printf("Just give me correct inputs then you will get the flag :)\n");

    // argv
    if(argc != 100) return 0;
    if(strcmp(argv['A'],"\x00")) return 0;
    if(strcmp(argv['B'],"\x20\x0a\x0d")) return 0;
    printf("Stage 1 clear!\n"); 

    // stdio
    char buf[4];
    read(0, buf, 4);
    if(memcmp(buf, "\x00\x0a\x00\xff", 4)) return 0;
    read(2, buf, 4);
        if(memcmp(buf, "\x00\x0a\x02\xff", 4)) return 0;
    printf("Stage 2 clear!\n");
    
    // env
    if(strcmp("\xca\xfe\xba\xbe", getenv("\xde\xad\xbe\xef"))) return 0;
    printf("Stage 3 clear!\n");

    // file
    FILE* fp = fopen("\x0a", "r");
    if(!fp) return 0;
    if( fread(buf, 4, 1, fp)!=1 ) return 0;
    if( memcmp(buf, "\x00\x00\x00\x00", 4) ) return 0;
    fclose(fp);
    printf("Stage 4 clear!\n"); 

    // network
    int sd, cd;
    struct sockaddr_in saddr, caddr;
    sd = socket(AF_INET, SOCK_STREAM, 0);
    if(sd == -1){
        printf("socket error, tell admin\n");
        return 0;
    }
    saddr.sin_family = AF_INET;
    saddr.sin_addr.s_addr = INADDR_ANY;
    saddr.sin_port = htons( atoi(argv['C']) );
    if(bind(sd, (struct sockaddr*)&saddr, sizeof(saddr)) < 0){
        printf("bind error, use another port\n");
            return 1;
    }
    listen(sd, 1);
    int c = sizeof(struct sockaddr_in);
    cd = accept(sd, (struct sockaddr *)&caddr, (socklen_t*)&c);
    if(cd < 0){
        printf("accept error, tell admin\n");
        return 0;
    }
    if( recv(cd, buf, 4, 0) != 4 ) return 0;
    if(memcmp(buf, "\xde\xad\xbe\xef", 4)) return 0;
    printf("Stage 5 clear!\n");

    // here's your flag
    system("/bin/cat flag");    
    return 0;
}

一步一步的深入

知識儲備：

1. argc、argv给涕、envp
   argc: 參數(shù)的個數(shù)怖糊，如 ping www.baidu.com 的 argc = 2纱扭；
   argv: 具體的參數(shù)衡怀，如 ping 和 www.baidu.com;
   envp: 環(huán)境變量數(shù)組
2. execve
   函數(shù)定義：int execve(const char *filename, char *const argv[ ], char *const envp[ ]);
   返回值：函數(shù)執(zhí)行成功時返回0棍矛，執(zhí)行失敗時的返回值為-1.
   函數(shù)說明：execve()用來執(zhí)行參數(shù)filename字符串所代表的文件路徑，第二個參數(shù)是利用數(shù)組指針來傳遞給執(zhí)行文件狈癞，并且需要以空指針(NULL)結(jié)束茄靠，最后一個參數(shù)則為傳遞給執(zhí)行文件的新環(huán)境變量數(shù)組茂契。

stage 1

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main()
{
    /* Stage 1: argv */
    char *argv[101] = {"./input", [1 ... 99] = "A", NULL};

    argv['A'] = "\x00";
    argv['B'] = "\x20\x0a\x0d";

    execve("./input", argv, NULL);

    return 0;
}

編譯執(zhí)行一下：

$ gcc writeup.c -o writeup
$ ./writeup
Welcome to pwnable.kr
Let's see if you know how to give input to program
Just give me correct inputs then you will get the flag :)
Stage 1 clear!