html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td,article,aside,canvas,details,embed,figure,figcaption,footer,header,hgroup,menu,nav,output,ruby,section,summary,time,mark,audio,video { margin: 0; padding: 0; border: 0 }
body { font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 14px; line-height: 1.6; color: #333; background-color: #fff; padding: 20px; max-width: 960px; margin: 0 auto }
body>*:first-child { margin-top: 0 !important }
body>*:last-child { margin-bottom: 0 !important }
p,blockquote,ul,ol,dl,table,pre { margin: 15px 0 }
h1,h2,h3,h4,h5,h6 { margin: 20px 0 10px; padding: 0; font-weight: bold }
h1 tt,h1 code,h2 tt,h2 code,h3 tt,h3 code,h4 tt,h4 code,h5 tt,h5 code,h6 tt,h6 code { font-size: inherit }
h1 { font-size: 28px; color: #000 }
h2 { font-size: 24px; border-bottom: 1px solid #ccc; color: #000 }
h3 { font-size: 18px }
h4 { font-size: 16px }
h5 { font-size: 14px }
h6 { color: #777; font-size: 14px }
body>h2:first-child,body>h1:first-child,body>h1:first-child+h2,body>h3:first-child,body>h4:first-child,body>h5:first-child,body>h6:first-child { margin-top: 0; padding-top: 0 }
a:first-child h1,a:first-child h2,a:first-child h3,a:first-child h4,a:first-child h5,a:first-child h6 { margin-top: 0; padding-top: 0 }
h1+p,h2+p,h3+p,h4+p,h5+p,h6+p { margin-top: 10px }
a { color: #4183C4; text-decoration: none }
a:hover { text-decoration: underline }
ul,ol { padding-left: 30px }
ul li>:first-child,ol li>:first-child,ul li ul:first-of-type,ol li ol:first-of-type,ul li ol:first-of-type,ol li ul:first-of-type { margin-top: 0px }
ul ul,ul ol,ol ol,ol ul { margin-bottom: 0 }
dl { padding: 0 }
dl dt { font-size: 14px; font-weight: bold; font-style: italic; padding: 0; margin: 15px 0 5px }
dl dt:first-child { padding: 0 }
dl dt>:first-child { margin-top: 0px }
dl dt>:last-child { margin-bottom: 0px }
dl dd { margin: 0 0 15px; padding: 0 15px }
dl dd>:first-child { margin-top: 0px }
dl dd>:last-child { margin-bottom: 0px }
pre,code,tt { font-size: 12px; font-family: Consolas, "Liberation Mono", Courier, monospace }
code,tt { margin: 0 0px; padding: 0px 0px; white-space: nowrap; border: 1px solid #eaeaea; background-color: #f8f8f8 }
pre>code { margin: 0; padding: 0; white-space: pre; border: none; background: transparent }
pre { background-color: #f8f8f8; border: 1px solid #ccc; font-size: 13px; line-height: 19px; overflow: auto; padding: 6px 10px }
pre code,pre tt { background-color: transparent; border: none }
kbd { background-color: #DDDDDD; background-image: linear-gradient(#F1F1F1, #DDDDDD); background-repeat: repeat-x; border-color: #DDDDDD #CCCCCC #CCCCCC #DDDDDD; border-style: solid; border-width: 1px; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; line-height: 10px; padding: 1px 4px }
blockquote { border-left: 4px solid #DDD; padding: 0 15px; color: #777 }
blockquote>:first-child { margin-top: 0px }
blockquote>:last-child { margin-bottom: 0px }
hr { clear: both; margin: 15px 0; height: 0px; overflow: hidden; border: none; background: transparent; border-bottom: 4px solid #ddd; padding: 0 }
table th { font-weight: bold }
table th,table td { border: 1px solid #ccc; padding: 6px 13px }
table tr { border-top: 1px solid #ccc; background-color: #fff }
table tr:nth-child(2n) { background-color: #f8f8f8 }
img { max-width: 100% }
.highlight { background: #ffffff }
.highlight .c { color: #999988; font-style: italic }
.highlight .err { color: #a61717; background-color: #e3d2d2 }
.highlight .k { font-weight: bold }
.highlight .o { font-weight: bold }
.highlight .cm { color: #999988; font-style: italic }
.highlight .cp { color: #999999; font-weight: bold }
.highlight .c1 { color: #999988; font-style: italic }
.highlight .cs { color: #999999; font-weight: bold; font-style: italic }
.highlight .gd { color: #000000; background-color: #ffdddd }
.highlight .gd .x { color: #000000; background-color: #ffaaaa }
.highlight .ge { font-style: italic }
.highlight .gr { color: #aa0000 }
.highlight .gh { color: #999999 }
.highlight .gi { color: #000000; background-color: #ddffdd }
.highlight .gi .x { color: #000000; background-color: #aaffaa }
.highlight .go { color: #888888 }
.highlight .gp { color: #555555 }
.highlight .gs { font-weight: bold }
.highlight .gu { color: #aaaaaa }
.highlight .gt { color: #aa0000 }
.highlight .kc { font-weight: bold }
.highlight .kd { font-weight: bold }
.highlight .kp { font-weight: bold }
.highlight .kr { font-weight: bold }
.highlight .kt { color: #445588; font-weight: bold }
.highlight .m { color: #009999 }
.highlight .s { color: #d14 }
.highlight .na { color: #008080 }
.highlight .nb { color: #0086B3 }
.highlight .nc { color: #445588; font-weight: bold }
.highlight .no { color: #008080 }
.highlight .ni { color: #800080 }
.highlight .ne { color: #990000; font-weight: bold }
.highlight .nf { color: #990000; font-weight: bold }
.highlight .nn { color: #555555 }
.highlight .nt { color: #000080 }
.highlight .nv { color: #008080 }
.highlight .ow { font-weight: bold }
.highlight .w { color: #bbbbbb }
.highlight .mf { color: #009999 }
.highlight .mh { color: #009999 }
.highlight .mi { color: #009999 }
.highlight .mo { color: #009999 }
.highlight .sb { color: #d14 }
.highlight .sc { color: #d14 }
.highlight .sd { color: #d14 }
.highlight .s2 { color: #d14 }
.highlight .se { color: #d14 }
.highlight .sh { color: #d14 }
.highlight .si { color: #d14 }
.highlight .sx { color: #d14 }
.highlight .sr { color: #009926 }
.highlight .s1 { color: #d14 }
.highlight .ss { color: #990073 }
.highlight .bp { color: #999999 }
.highlight .vc { color: #008080 }
.highlight .vg { color: #008080 }
.highlight .vi { color: #008080 }
.highlight .il { color: #009999 }
.pl-c { color: #969896 }
.pl-c1,.pl-mdh,.pl-mm,.pl-mp,.pl-mr,.pl-s1 .pl-v,.pl-s3,.pl-sc,.pl-sv { color: #0086b3 }
.pl-e,.pl-en { color: #795da3 }
.pl-s1 .pl-s2,.pl-smi,.pl-smp,.pl-stj,.pl-vo,.pl-vpf { color: #333 }
.pl-ent { color: #63a35c }
.pl-k,.pl-s,.pl-st { color: #a71d5d }
.pl-pds,.pl-s1,.pl-s1 .pl-pse .pl-s2,.pl-sr,.pl-sr .pl-cce,.pl-sr .pl-sra,.pl-sr .pl-sre,.pl-src,.pl-v { color: #df5000 }
.pl-id { color: #b52a1d }
.pl-ii { background-color: #b52a1d; color: #f8f8f8 }
.pl-sr .pl-cce { color: #63a35c; font-weight: bold }
.pl-ml { color: #693a17 }
.pl-mh,.pl-mh .pl-en,.pl-ms { color: #1d3e81; font-weight: bold }
.pl-mq { color: #008080 }
.pl-mi { color: #333; font-style: italic }
.pl-mb { color: #333; font-weight: bold }
.pl-md,.pl-mdhf { background-color: #ffecec; color: #bd2c00 }
.pl-mdht,.pl-mi1 { background-color: #eaffea; color: #55a532 }
.pl-mdr { color: #795da3; font-weight: bold }
.pl-mo { color: #1d3e81 }
.task-list { padding-left: 10px; margin-bottom: 0 }
.task-list li { margin-left: 20px }
.task-list-item { list-style-type: none; padding-left: 10px }
.task-list-item label { font-weight: 400 }
.task-list-item.enabled label { cursor: pointer }
.task-list-item+.task-list-item { margin-top: 3px }
.task-list-item-checkbox { display: inline-block; margin-left: -20px; margin-right: 3px; vertical-align: 1px }

pwnable.kr-fd-Writeup

根据题目描述Mommy! what is a file descriptor in Linux? 知该题与Linux系统下的文件描述有关；
ssh远程登录如下：
根据题目提示，ls -l查看文件及权限如下,由下图，用户fd只具有读文件fd.c的权限（尝试sudo chmod增加权限，但失败）：
cat fd.c读取fd.c中的内容，可得到如下代码：

 1 [email protected]:~$ cat fd.c
 2 #include <stdio.h>
 3 #include <stdlib.h>
 4 #include <string.h>
 5 char buf[32];
 6 int main(int argc, char* argv[], char* envp[]){
 7         if(argc<2){
 8                 printf("pass argv[1] a number\n");
 9                 return 0;
10         }
11         int fd = atoi( argv[1] ) - 0x1234;
12         int len = 0;
13         len = read(fd, buf, 32);
14         if(!strcmp("LETMEWIN\n", buf)){
15                 printf("good job :)\n");
16                 system("/bin/cat flag");
17                 exit(0);
18         }
19         printf("learn about Linux file IO\n");
20         return 0;
21
22 }
23
24 [email protected]:~$

分析上述代码，执行system("/bin/cat flag");语句，即可获得flag;
执行system("/bin/cat flag");需要使buf == "LETMEWIN";
继续分析，需要buf通过read函数读入"LETMEWIN\n"，有read函数的定义，需要使fd==0；
则有atoi( argv[1] ) == 0x1234(即十进制下的4660），由atoi函数的定义，需要argv[1] == "4660";
进而由LinuxC下argv[]的相应定义可以构造输入

echo "LETMEWIN" | ./fd 4660

如下，flag为：mommy! I think I know what a file descriptor is!!

2017-2-4 22:24;39

时间： 2024-10-10 07:39:32

pwnable.kr-fd-Writeup

pwnable.kr-fd-Writeup

pwnable.kr-fd-Writeup的相关文章

【LINUX】pwnable.kr cmd1 writeup

【PWN】pwnable.kr echo1 writeup

【PWN】Pwnable.kr echo2 writeup

【LINUX】pwnable.kr cmd2 writeup

pwnable.kr 第一题 FD

【pwnable.kr】leg

pwnable.kr的passcode

【pwnable.kr】 unlink

【pwnable.kr】 mistake

【pwnable.kr】bof