代码如下
#include <stdio.h>#include <stdlib.h>#include <string.h>#include <sys/socket.h>#include <arpa/inet.h>intmain(intargc,char*argv[],char*envp[]){printf("Welcome to pwnable.kr\n");printf("Let's see if you know how to give input to program\n");printf("Just give me correct inputs then you will get the flag :)\n");// argvif(argc!=100)return0;if(strcmp(argv['A'],"\x00"))return0;if(strcmp(argv['B'],"\x20\x0a\x0d"))return0;printf("Stage 1 clear!\n");// stdiocharbuf[4];read(0,buf,4);if(memcmp(buf,"\x00\x0a\x00\xff",4))return0;read(2,buf,4);if(memcmp(buf,"\x00\x0a\x02\xff",4))return0;printf("Stage 2 clear!\n");// envif(strcmp("\xca\xfe\xba\xbe",getenv("\xde\xad\xbe\xef")))return0;printf("Stage 3 clear!\n");// fileFILE*fp=fopen("\x0a","r");if(!fp)return0;if(fread(buf,4,1,fp)!=1)return0;if(memcmp(buf,"\x00\x00\x00\x00",4))return0;fclose(fp);printf("Stage 4 clear!\n");// networkintsd,cd;structsockaddr_insaddr,caddr;sd=socket(AF_INET,SOCK_STREAM,0);if(sd==-1){printf("socket error, tell admin\n");return0;}saddr.sin_family=AF_INET;saddr.sin_addr.s_addr=INADDR_ANY;saddr.sin_port=htons(atoi(argv['C']));if(bind(sd,(structsockaddr*)&saddr,sizeof(saddr))<0){printf("bind error, use another port\n");return1;}listen(sd,1);intc=sizeof(structsockaddr_in);cd=accept(sd,(structsockaddr*)&caddr,(socklen_t*)&c);if(cd<0){printf("accept error, tell admin\n");return0;}if(recv(cd,buf,4,0)!=4)return0;if(memcmp(buf,"\xde\xad\xbe\xef",4))return0;printf("Stage 5 clear!\n");// here's your flagsystem("/bin/cat flag");return0;}好吧,这道题考的是linux编程,神烦……
没有太多要说的,socket那块,开始parent没有sleep,结果总是Connection refused。于是后来让他先等一会再去连,就好了。
另外,由于我的程序是在/tmp下面,这里可以写。但到最后读flag内容时,flag并不在当前目录/tmp下。所以我们需要首先把flag文件链接到这里
#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <string.h>#include <sys/socket.h>#include <arpa/inet.h>intmain(){char*argv[101]={[0...99]="A"};argv['A']="\x00";argv['B']="\x20\x0a\x0d";argv['C']="55555";char*envp[2]={"\xde\xad\xbe\xef=\xca\xfe\xba\xbe"};intpipe1[2],pipe2[2];if(pipe(pipe1)==-1||pipe(pipe2)==-1){printf("error pipe\n");exit(1);}FILE*fp=fopen("\x0a","w");fwrite("\x00\x00\x00\x00",4,1,fp);fclose(fp);if(fork()==0){dup2(pipe1[0],0);close(pipe1[0]);close(pipe1[1]);dup2(pipe2[0],2);close(pipe2[0]);close(pipe2[1]);execve("/home/input/input",argv,envp);}else{write(pipe1[1],"\x00\x0a\x00\xff",4);write(pipe2[1],"\x00\x0a\x02\xff",4);sleep(5);structsockaddr_inservaddr;intsock=socket(AF_INET,SOCK_STREAM,0);memset(&servaddr,0,sizeof(servaddr));servaddr.sin_family=AF_INET;servaddr.sin_port=htons(atoi(argv['C']));servaddr.sin_addr.s_addr=inet_addr("127.0.0.1");connect(sock,(structsockaddr*)&servaddr,sizeof(servaddr));send(sock,"\xde\xad\xbe\xef",4,0);close(sock);intstat;wait(&stat);unlink("\x0a");return0;}}