0x00 背景

之前打杭电新生赛hgame的时候碰到一个题目, 题目会检测用户输入的shellcode, 限制shellcoode只能是大写字母和数字, 经社团大佬提醒得知对付这种问题用一个专门的工具: alpha3. 这篇文章就以这题为例来记录一下alpha3的使用方法.

0x00 程序分析

用ida打开二进制文件再反汇编得到main函数的伪代码如下

int __cdecl main()

{

char buf; // [esp+Fh] [ebp-19h]

int i; // [esp+10h] [ebp-18h]

unsigned int sc; // [esp+14h] [ebp-14h]

ssize_t v4; // [esp+18h] [ebp-10h]

unsigned int canary; // [esp+1Ch] [ebp-Ch]

canary = __readgsdword(0x14u);

setvbuf(stdout, 0, 2, 0);

sc = (unsigned int)malloc(0x1000u);

puts("========== ez shellcode ver2 ==========");

printf("> ");

for ( i = 0; i <= 4095; ++i )

{

v4 = read(0, &buf, 1u);

if ( v4 == -1 )

exit(0);

if ( (buf > 90 || buf <= 64) && (buf <= 47 || buf > 57) )

break;

*(_BYTE *)(sc + i) = buf;

}

if ( mprotect((void *)(sc & 0xFFFFF000), 0x1000u, 7) == -1 )

{

puts("error ,tell admin");

}

else

{

puts("exec shellcode...");

((void (*)(void))sc)();

}

return 0;

}

程序很简单, 只要找到仅有大写字母数字组成的shellcode(也叫做 alphanumeric shellcode)组成就可以成功pwn. 我们使用alpha3将普通的shellcode转化成alphanumeric shellcode, 不过alpha3 实在难用, 而且网上教程非常少, 这也是我写这个文章的主要原因.

破解过程

我们首先在github上面搜索 alpha3 找到代码的仓库, 然后下载到本地再build之后就可以使用了,过程十分麻烦...... 这儿就直接提供build之后的给大家下载(密码mmdj). 然后我们先找一个普通的可以getshell的shellcode, 然后我们需要将对应的机器码写入到一个文件中(例如sc.bin), 然后我们在cmd中cd到apha3的文件夹中执行alpha3来得到alphanumeric shellcode, 在之前我们先执行python ./ALPHA3.py看一下帮助:

[Usage]

ALPHA3.py [ encoder settings | I/O settings | flags ]

[Encoder setting]

architecture Which processor architecture to target (x86,

x64).

character encoding Which character encoding to use (ascii, cp437,

latin-1, utf-16).

casing Which character casing to use (uppercase,

mixedcase, lowercase).

base address How to determine the base address in the decoder

code (each encoder has its own set of valid

values).

[I/O Setting]

--input="file" Path to a file that contains the shellcode to be

encoded (Optional, default is to read input from

stdin).

--output="file" Path to a file that will receive the encoded

shellcode (Optional, default is to write output

to stdout).

[Flags]

--verbose Display verbose information while executing. Use

this flag twice to output progress during

encoding.

--help Display this message and quit.

--test Run all available tests for all encoders.

(Useful while developing/testing new encoders).

--int3 Trigger a breakpoint before executing the result

of a test. (Use in combination with --test).

[Notes]

You can provide encoder settings in combination with the --help and --test

switches to filter which encoders you get help information for and which

get tested, respectively.

Valid base address examples for each encoder, ordered by encoder settings,

are:

[x64 ascii mixedcase]

AscMix (r64) RAX RCX RDX RBX RSP RBP RSI RDI

[x86 ascii lowercase]

AscLow 0x30 (rm32) ECX EDX EBX

[x86 ascii mixedcase]

AscMix 0x30 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX]

[EDX] [EBX] [ESP] [EBP] [ESI] [EDI] [ESP-4]

ECX+2 ESI+4 ESI+8

AscMix 0x30 (i32) (address)

AscMix Countslide (rm32) countslide:EAX+offset~uncertainty

countslide:EBX+offset~uncertainty

countslide:ECX+offset~uncertainty

countslide:EDX+offset~uncertainty

countslide:ESI+offset~uncertainty

countslide:EDI+offset~uncertainty

AscMix Countslide (i32) countslide:address~uncertainty

AscMix SEH GetPC (XPsp3) seh_getpc_xpsp3

[x86 ascii uppercase]

AscUpp 0x30 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX]

[EDX] [EBX] [ESP] [EBP] [ESI] [EDI]

[x86 latin-1 mixedcase]

Latin1Mix CALL GetPC call

[x86 utf-16 uppercase]

UniUpper 0x10 (rm32) EAX ECX EDX EBX ESP EBP ESI EDI [EAX] [ECX]

[EDX] [EBX] [ESP] [EBP] [ESI] [EDI]

我们这题是32位的, 所以architecture是X86; 因为main函数中是按字节检测的, 所以character encoding 选择 ascii; 而且题目中要求的是大写字母, 所以casing 自然就是upper. 但是最后的base address 是什么呢? 这个alpha会利用shellcode基址来重定位shellcode，相当于在shellcode运行过程中重新组装shellcode. 而查看ida中返回编的代码可知调用shellcode的汇编指令是call eax 所以base 就是EAX 在结合我们之前得到的普通shellcode就可以用python ./PYTHON.py x86 ascii uppercase eax --input="sc.bin" > out.bin就可以在out.bin中得到一个 alphanumeric shellcode, 然后再用pwntools输入这个alphanumeric shellcode 即可成功getshell !

总结

打这次hgame才知道pwn原来有这么多骚操作, 真的是太有意思了. 还是要多多学习呀.