这个系列开始涉及网络部分了,感觉这部分还是很简单的。

net 0

先来看源码:

#include "../common/common.c"

#define NAME "net0"
#define UID 999
#define GID 999
#define PORT 2999

void run()
{
  unsigned int i;
  unsigned int wanted;

  wanted = random();

  printf("Please send '%d' as a little endian 32bit int\n", wanted);

  if(fread(&i, sizeof(i), 1, stdin) == NULL) {
      errx(1, ":(\n");
  }

  if(i == wanted) {
      printf("Thank you sir/madam\n");
  } else {
      printf("I'm sorry, you sent %d instead\n", i);
  }
}

int main(int argc, char **argv, char **envp)
{
  int fd;
  char *username;

  /* Run the process as a daemon */
  background_process(NAME, UID, GID); 
  
  /* Wait for socket activity and return */
  fd = serve_forever(PORT);

  /* Set the client socket to STDIN, STDOUT, and STDERR */
  set_io(fd);

  /* Don't do this :> */
  srandom(time(NULL));

  run();
}

主函数中的大部分内容其实不需要关注的,主要来看run()函数,这里面随机生成了一个值,并且接受一个输入值,判断两个值是否相等。来,我们祭出pwntools。

from pwn import *

target = remote('192.168.37.159',2999)
temp = target.recv()
print temp
temp = temp[temp.find("'"):]
temp = temp[1:]
temp = temp[:temp.find("'")]
print temp

target.send(p32(int(temp,10)))

print target.recv()
target.close()

结果如下:

➜  net  python net0.py
[+] Opening connection to 192.168.37.159 on port 2999: Done
Please send '577360076' as a little endian 32bit int

577360076
Thank you sir/madam

[*] Closed connection to 192.168.37.159 port 2999

net 1

这里只贴出关键代码吧。

void run()
{
  char buf[12];
  char fub[12];
  char *q;

  unsigned int wanted;

  wanted = random();

  sprintf(fub, "%d", wanted);

  if(write(0, &wanted, sizeof(wanted)) != sizeof(wanted)) {
      errx(1, ":(\n");
  }

  if(fgets(buf, sizeof(buf)-1, stdin) == NULL) {
      errx(1, ":(\n");
  }

  q = strchr(buf, '\r'); if(q) *q = 0;
  q = strchr(buf, '\n'); if(q) *q = 0;

  if(strcmp(fub, buf) == 0) {
      printf("you correctly sent the data\n");
  } else {
      printf("you didn't send the data properly\n");
  }
}

这个题还是要让我们发送过去一个和随机生成的数值一样的东西。这次把接收到的东西unpack再发过去就可以了,代码如下:

from pwn import *

target = remote('192.168.37.159',2998)
temp = target.recv()
print temp

payload = u32(temp)

target.send(str(payload)+'\n')
print target.recv()

target.close()

跑一下:

➜  net  python net1.py
[+] Opening connection to 192.168.37.159 on port 2998: Done
\xa3\x93\xbfq
you correctly sent the data
[*] Closed connection to 192.168.37.159 port 2998

net 2

这次是把四个数加起来了,贴上关键代码:

void run()
{
  unsigned int quad[4];
  int i;
  unsigned int result, wanted;

  result = 0;
  for(i = 0; i < 4; i++) {
      quad[i] = random();
      result += quad[i];

      if(write(0, &(quad[i]), sizeof(result)) != sizeof(result)) {
          errx(1, ":(\n");
      }
  }

  if(read(0, &wanted, sizeof(result)) != sizeof(result)) {
      errx(1, ":<\n");
  }


  if(result == wanted) {
      printf("you added them correctly\n");
  } else {
      printf("sorry, try again. invalid\n");
  }
}

直接写payload吧:

from pwn import *

target = remote('192.168.37.159',2997)

sum = 0
for i in range(4):
    t = target.recv(4)
    sum += u32(t)

print "sum=", sum

target.send(p64(sum))

print target.recv()
target.close()

跑起来看结果:

➜  net  python net2.py
[+] Opening connection to 192.168.37.159 on port 2997: Done
sum= 3394642374
you added them correctly
[*] Closed connection to 192.168.37.159 port 2997